Search
Member List
Calendar
Help
Lets suppose we know this website is vulnerable to CSRF: https://damn-vulnerable.com/
We know the endpoint to reset the password and email the new password to the users email would be /settings/password?action=reset-password&mail-to=user@mail.com.
Then we can craft a link like this: https ://damn-vulnerable.com/settings/password?action=reset-password&mail-to=evil-user@mail.com
And send this link to the user perhaps through a fake support account or someting similiar and we will get the new password sent to our email instead of the users.
Or perhaps the link would look like: https ://damn-vulnerable.com/email/change?email=user@mail.com
Then we can just change the link to: https ://damn-vulnerable.com/email/change?email=evil-user@mail.com
And try to get the user to click on it same as in Reflected XSS.
-0xgh64/greyhound
We know the endpoint to reset the password and email the new password to the users email would be /settings/password?action=reset-password&mail-to=user@mail.com.
Then we can craft a link like this: https ://damn-vulnerable.com/settings/password?action=reset-password&mail-to=evil-user@mail.com
And send this link to the user perhaps through a fake support account or someting similiar and we will get the new password sent to our email instead of the users.
Or perhaps the link would look like: https ://damn-vulnerable.com/email/change?email=user@mail.com
Then we can just change the link to: https ://damn-vulnerable.com/email/change?email=evil-user@mail.com
And try to get the user to click on it same as in Reflected XSS.
-0xgh64/greyhound
just some guy