Hi DoD team,
similarly to the previous CSRF that I've reported, I've found another CSRF in the same domain, but on the
Account details option.
The CSRF issue allows me to modify the datas of every victim that is targeted using the CSRF file, and leading to account takeover simply setting my email as email of the victim: logging out I can recover the password of the infected account using the attacker-email that has replaced the victim-email.
Step-by-step Reproduction Instructions
(In the video the
@ char is replaced with
%40 (url encoded version of the
@ char), but is due to a problem in the CSRF value, simply replacing
@ in the
@ char appears).
For account takeover now:
Forgot passwordoption, inserting the email used for replace the one of the victim
Suggested Mitigation/Remediation Actions
Use captchas and CSRF-tokens for be sure that the victim is changing the datas knowing that.
The ██████████████████ShopCart has a POST CSRF issue also in the account details, that can lead to account takeover replacing the email of the victim with the email of the attacker, and requesting a new password using the
Forgot password option.