CSRF On Change Password

I Found CSRF issue On Password Change functionality on one of the private program.

So, before this issue I reported 3 Bugs on to the same program.

Let’s have a look how I found this although it was very easy.

Let’s consider the website as example.com

So, I made two testing accounts on the portal (Test1 and Test2 both having different passwords)

Using Test1 : I visited the password change option to change the password of my current account just to capture the request in burp and to see if csrf tokens or any protection against csrf is present or not.

https://www.example.com/en/uos/account/password

after visiting the password change option I noticed that current password field was missing , on which I gave a thought to plan a csrf as now it appears to be easy.

Then I inserted the New password and confirm password and intercepted the Update request.

I generated the form for the above request to update the password of another account.

Test2 : Now the form which I have created using test1 was on my machine and I opened that form in the browser where Test2 was logged in and then submitted the request.

And it showed that account is updated , for verification I logged out the account and tried to login with the old password and it was not logged in then tried with new password which I have updated with CSRF form , it was logged in.

Thanks for giving it a quick read.