FS#243 : Csrf where token is not tied to user session

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by pentester - 25.11.2025
Last edited by cbay - 26.11.2025

FS#243 - Csrf where token is not tied to user session

vulnerability name : csrf where attacker can use unused token to access victim account

description: attacker can use same csrf token to login into an account that might take account takeover vulnerability

step to reproduced:
1.make two account with different email
2.intercept one mail account and copy its csrf token and drop the response
3. change that token with another account and login with 2nd account

for furthur info please see the poc

Thank you
Anant

application/octet-stream; charset=binary

2025-11-25 18-30-24.mp4 (55.25 MiB)

Closed by cbay
26.11.2025 14:44
Reason for closing: Duplicate
Additional comments about closing:

https://security.alwaysda ta.com/task/205

Comments (0)
Related Tasks (0/0)

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task