Skip to content

Latest commit

 

History

History
446 lines (445 loc) · 56.7 KB

TOPCSRF.md

File metadata and controls

446 lines (445 loc) · 56.7 KB
Raw

Top CSRF reports from HackerOne:

  1. CSRF on connecting Paypal as Payment Provider to Shopify - 289 upvotes, $500
  2. Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $0
  3. Periscope android app deeplink leads to CSRF in follow action to Twitter - 206 upvotes, $0
  4. Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes, $1100
  5. Site wide CSRF affecting both job seeker and Employer account on glassdoor.com to Glassdoor - 154 upvotes, $0
  6. CSRF leads to a stored self xss to Imgur - 141 upvotes, $0
  7. CSRF protection bypass in GitHub Enterprise management console to GitHub - 138 upvotes, $10000
  8. Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone to HackerOne - 138 upvotes, $0
  9. Slack integration setup lacks CSRF protection to HackerOne - 135 upvotes, $2500
  10. Lack of CSRF header validation at https://g-mail.grammarly.com/profile to Grammarly - 131 upvotes, $0
  11. CSRF token validation system is disabled on Stripe Dashboard to Stripe - 105 upvotes, $2500
  12. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
  13. CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ to Rockstar Games - 99 upvotes, $0
  14. CSRF to HTML Injection in Comments to WordPress - 94 upvotes, $0
  15. One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com to Logitech - 86 upvotes, $200
  16. Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account to Discourse - 82 upvotes, $0
  17. CSRF in Account Deletion feature (https://www.flickr.com/account/delete) to Flickr - 82 upvotes, $0
  18. CSRF Account Takeover to TikTok - 81 upvotes, $0
  19. CSRF token validation system is disabled on Stripe Dashboard to Stripe - 80 upvotes, $2500
  20. [CRITICAL] Full account takeover using CSRF to Twitter - 79 upvotes, $0
  21. CSRF protection on OIDC login is broken to Nextcloud - 70 upvotes, $500
  22. Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome to Starbucks - 70 upvotes, $0
  23. Login CSRF vulnerability on hackerone.com to HackerOne - 69 upvotes, $500
  24. CSRF on /api/graphql allows executing mutations through GET requests to GitLab - 67 upvotes, $3370
  25. CSRF protection bypass on any Django powered site via Google Analytics to Django - 67 upvotes, $0
  26. CSRF on Periscope Web OAuth authorization endpoint to Twitter - 66 upvotes, $2520
  27. Delete any user's added Email,Telephone,Fax,Address,Skype via csrf in (https://academy.acronis.com/) to Acronis - 66 upvotes, $0
  28. CSRF protection bypass on TikTok Webcast Endpoints to TikTok - 62 upvotes, $2500
  29. CSRF to change password to Nord Security - 60 upvotes, $0
  30. [Admin Panel] CSRF to resume/pause runner to GitLab - 57 upvotes, $500
  31. CSRF Trial 14 days express subscription to Instacart - 55 upvotes, $0
  32. Periscope iOS app CSRF in follow action due to deeplink to Twitter - 52 upvotes, $2940
  33. CSRF combined with IDOR within Document Converter exposes files to Open-Xchange - 52 upvotes, $500
  34. CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $256
  35. apps.shopify.com - CSRF token leakage through Google Analytics to Shopify - 47 upvotes, $0
  36. Cross-site request forgery vulnerability resulting in the deletion of a user's account. to ██████ - 43 upvotes, $0
  37. Login CSRF : Login Authentication Flaw on https://liberapay.com/ to Liberapay - 43 upvotes, $0
  38. [CRITICAL] Full account takeover using CSRF to Bumble - 42 upvotes, $0
  39. (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation to HackerOne - 41 upvotes, $0
  40. CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings] to Logitech - 40 upvotes, $0
  41. Account takeover through CSRF in http://███████/██████████/default.asp to U.S. Dept Of Defense - 39 upvotes, $0
  42. Authentication token and CSRF token bypass to Enjin - 38 upvotes, $300
  43. CSRF on api.my.games due to improper validation of token allows an attacker to delete other users notifications to Mail.ru - 38 upvotes, $100
  44. Path traversal leading to limited CSRF on GET requests on two endpoints to HackerOne - 38 upvotes, $0
  45. CSRF on cards API to Twitter - 37 upvotes, $280
  46. CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS to Chaturbate - 37 upvotes, $0
  47. CSRF Vulnerability at https://aw.my.com/ to Mail.ru - 37 upvotes, $0
  48. CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' to Rockstar Games - 36 upvotes, $0
  49. CSRF To Add New App In Developer Account And Bypassing Json Format to TikTok - 35 upvotes, $200
  50. CSRF on https://www.niche.co leads to "account disconnection" to Twitter - 35 upvotes, $0
  51. Web cache poisoning leads to disclosure of CSRF token and sensitive information to Smule - 35 upvotes, $0
  52. HackerOne reports escalation to JIRA is CSRF vulnerable to HackerOne - 34 upvotes, $500
  53. Disable 2FA via CSRF (Leads to 2FA Bypass) to Mail.ru - 34 upvotes, $0
  54. CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit ! to Reddit - 33 upvotes, $500
  55. CSRF leads to account deactivation of users to Evernote - 33 upvotes, $300
  56. Exfiltrate GDrive access token using CSRF to Dropbox - 32 upvotes, $1728
  57. Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host to GSA Bounty - 32 upvotes, $0
  58. Timing attack towards endpoints on the web without CSRF to HackerOne - 32 upvotes, $0
  59. Firmware download/install vulnerable to CSRF to Ubiquiti Inc. - 32 upvotes, $0
  60. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
  61. CSRF on launchpad.37signals.com OAuth2 authorization endpoint to Basecamp - 32 upvotes, $0
  62. Cross-Site Request Forgery (CSRF) to Instacart - 31 upvotes, $0
  63. Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg] to Unikrn - 31 upvotes, $0
  64. gifts.flocktory.com/phpmyadmin is vulnerable csrf to QIWI - 31 upvotes, $0
  65. Self-Stored XSS - Chained with login/logout CSRF to Zomato - 30 upvotes, $300
  66. CSRF at [Apply to this program] that lead to submit your request automatic with out any validations to HackerOne - 30 upvotes, $0
  67. Site-wide CSRF at Atavist to Automattic - 30 upvotes, $0
  68. Account takeover just through csrf in https://booking.qiwi.kz/profile to QIWI - 30 upvotes, $0
  69. Account takeover through multistage CSRF at https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer and ../AutoChoice/changePwOktaAnswer to U.S. General Services Administration - 30 upvotes, $0
  70. Site-wide CSRF on eats.uber.com to Uber - 29 upvotes, $6000
  71. CSRF On Connect Account With Github Lead To Account Takeover to Vercel - 29 upvotes, $0
  72. Authentication CSRF resulting in unauthorized account access on Krisp app to Krisp - 29 upvotes, $0
  73. CSRF на загрузку аудиозаписей to VK.com - 28 upvotes, $100
  74. OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing to Vimeo - 28 upvotes, $0
  75. CSRF in Changing User Verification Email to TikTok - 27 upvotes, $500
  76. Site-wide CSRF on Safari due to CORS misconfiguration (not localhost) to CS Money - 27 upvotes, $300
  77. JSON CSRF on POST Heartbeats API to WakaTime - 27 upvotes, $0
  78. CSRF Vulnerability allows attackers to steal SocialClub private token. to Rockstar Games - 27 upvotes, $0
  79. CSRF vulnerability that allows an attacker to modify encryption settings to Nextcloud - 27 upvotes, $0
  80. [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status to Shopify - 27 upvotes, $0
  81. CSRF in AppSearch allows creation of "curations" to Elastic - 27 upvotes, $0
  82. Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage to Shopify - 26 upvotes, $800
  83. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 26 upvotes, $0
  84. Norway - store.starbucks.no - CSRF on email change to Starbucks - 26 upvotes, $0
  85. CSRF + XSS leads to ATO to Mail.ru - 26 upvotes, $0
  86. CSRF on draft message creation in tel.mail.ru to Mail.ru - 25 upvotes, $250
  87. TikTok Session Donation CSRF via QR code login to TikTok - 25 upvotes, $111
  88. [www.drive2.ru] CSRF through FCTX token bypass to DRIVE.NET, Inc. - 25 upvotes, $0
  89. CSRF Vulnerability on post creation page /community/create-post.json to Rockstar Games - 25 upvotes, $0
  90. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 25 upvotes, $0
  91. CSRF at https://chatstory.pixiv.net/imported to pixiv - 24 upvotes, $500
  92. Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities to Uber - 24 upvotes, $500
  93. FileUpload Plugin: CSRF (delete all attached files) to Vanilla - 24 upvotes, $300
  94. CSRF with logout action to Weblate - 24 upvotes, $0
  95. CSRF and probable account takeover on https://www.niche.co to Twitter - 23 upvotes, $0
  96. CSRF Account Deletion on ███ Website to U.S. Dept Of Defense - 23 upvotes, $0
  97. CSRF in github integration to Slack - 22 upvotes, $500
  98. Cross-Site Request Forgery (CSRF) to Harvest - 22 upvotes, $0
  99. Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) to Starbucks - 22 upvotes, $0
  100. H1514 CSRF in Domain transfer allows adding your domain to other user's account to Shopify - 22 upvotes, $0
  101. CSRF на установку своей почты к аккаунту. to VK.com - 22 upvotes, $0
  102. CSRF on TikTok Ads Portal to TikTok - 21 upvotes, $1000
  103. UniFi Video Server web interface Configuration Restore CSRF leading to full application compromise to Ubiquiti Inc. - 21 upvotes, $0
  104. User In The Same Center Can Create CSRF To Change The Information About Business to TikTok - 20 upvotes, $147
  105. Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth to WordPress - 20 upvotes, $0
  106. CSRF - Close Account to U.S. Dept Of Defense - 20 upvotes, $0
  107. Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites to Starbucks - 19 upvotes, $0
  108. CSRF in Raffles Ticket Purchasing to Unikrn - 19 upvotes, $0
  109. Arbitrary change of blog's background image via CSRF to WordPress - 19 upvotes, $0
  110. CSRF in changing password after using reset password link to OpenMage - 19 upvotes, $0
  111. CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link to Nextcloud - 19 upvotes, $0
  112. CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login to TikTok - 19 upvotes, $0
  113. Общий CSRF токен для сообщений сообществ, или как подставить соседа-редактора to VK.com - 18 upvotes, $300
  114. [tumblr.com] CSRF in /svc/user/filtered_content to Automattic - 18 upvotes, $0
  115. Self stored Xss + Login Csrf to U.S. Dept Of Defense - 18 upvotes, $0
  116. [CSRF] No Csrf protection against sending invitation to join the team. to Lark Technologies - 18 upvotes, $0
  117. SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi) to LocalTapiola - 17 upvotes, $1350
  118. CSRF Проверить является ли пользователь админом группы. to VK.com - 17 upvotes, $100
  119. Possible CSRF during joining report as participant to HackerOne - 17 upvotes, $0
  120. CSRF log victim into the attacker account to Unikrn - 17 upvotes, $0
  121. CSRF in attach phone API endpoint on delivery-club.ru to Mail.ru - 17 upvotes, $0
  122. Self XSS combine CSRF at https://████████/index.php to U.S. Dept Of Defense - 17 upvotes, $0
  123. CSRF allows attacker to delete item from customer's "Postilaatikko" to LocalTapiola - 16 upvotes, $500
  124. Проверяем принадлеженость email и номера телефона к определенному юзеру / CSRF на смену номера для некоторых пользователей to VK.com - 16 upvotes, $300
  125. CSRF - Adding unlimited number of saved items via GET request to Lyst - 16 upvotes, $150
  126. CSRF login to HackerOne - 16 upvotes, $100
  127. CSRF Add user templates to Mavenlink - 16 upvotes, $0
  128. CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction to Snapchat - 15 upvotes, $250
  129. Mobile Reflect XSS / CSRF at Advertisement Section on Search page to Pornhub - 15 upvotes, $200
  130. Twitter Disconnect CSRF to Shopify - 15 upvotes, $0
  131. [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info' to Mail.ru - 15 upvotes, $0
  132. CSRF token fixation in Sign in with Google to Harvest - 15 upvotes, $0
  133. CSRF to add admin [wordpress] to WordPress - 15 upvotes, $0
  134. https://fundl.qiwi.com CSRF на подтверждении sms to QIWI - 15 upvotes, $0
  135. Отсутствие CSRF ключа на функции Закрытый Профиль. to ok.ru - 15 upvotes, $0
  136. CSRF allows to test email forwarding to HackerOne - 15 upvotes, $0
  137. CSRF Bypassed on Logout Endpoint to Enjin - 15 upvotes, $0
  138. Posting to Twitter CSRF on php/post_twitter_authenticate.php to Zomato - 14 upvotes, $50
  139. CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public to Vimeo - 14 upvotes, $0
  140. CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection to Ubiquiti Inc. - 14 upvotes, $0
  141. CSRF on change video thumbnail at https://chaturbate.com to Chaturbate - 14 upvotes, $0
  142. csrf bypass using flash file + 307 redirect method at plugins endpoint to Stripo Inc - 14 upvotes, $0
  143. CSRF to account takeover in https://███████.mil/ to U.S. Dept Of Defense - 14 upvotes, $0
  144. CSRF for deleting videos to TikTok - 14 upvotes, $0
  145. CSRF in https://███ to U.S. Dept Of Defense - 14 upvotes, $0
  146. Cross-Site Request Forgery (CSRF) to xss to MTN Group - 14 upvotes, $0
  147. CSRF на calendar.mail.ru to Mail.ru - 13 upvotes, $250
  148. CSRF on lootdog.io to Mail.ru - 13 upvotes, $100
  149. Bypassing CSRF Token On Reply Message & Send Message to Reverb.com - 13 upvotes, $0
  150. CSRF на лайк к отзыву (Pandao) to Mail.ru - 13 upvotes, $0
  151. CSRF on developer.zendesk.com via Cache Deception to Zendesk - 13 upvotes, $0
  152. CSRF to Stored HTML injection at https://www.█████ to U.S. Dept Of Defense - 13 upvotes, $0
  153. [https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks to Mail.ru - 13 upvotes, $0
  154. CSRF in Importing CSV files [app.taxjar.com] to Stripe - 13 upvotes, $0
  155. CSRF в m.vk.com to VK.com - 12 upvotes, $100
  156. CSRF в виджетах to VK.com - 12 upvotes, $100
  157. CSRF possible when SOP Bypass/UXSS is available to LocalTapiola - 12 upvotes, $50
  158. CSRF on signup endpoint (auto-api.yelp.com) to Yelp - 12 upvotes, $0
  159. Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl to Radancy - 12 upvotes, $0
  160. Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300 to Ubiquiti Inc. - 12 upvotes, $0
  161. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 12 upvotes, $0
  162. Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information to Mail.ru - 12 upvotes, $0
  163. Widespread CSRF on authenticated POST endpoints to UPchieve - 12 upvotes, $0
  164. CSRF possible when SOP Bypass/UXSS is available to HackerOne - 11 upvotes, $2500
  165. Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF to Uber - 11 upvotes, $500
  166. CSRF на сброс ключа трансляции. to VK.com - 11 upvotes, $100
  167. CSRF Добавить просмотр к записи без ведома пользователя. to VK.com - 11 upvotes, $100
  168. CSRF на покупку товара https://lootdog.io/ to Mail.ru - 11 upvotes, $100
  169. Possible CSRF during external programs to HackerOne - 11 upvotes, $0
  170. CSRF in Udemy.com to Udemy - 11 upvotes, $0
  171. CSRF- delete all empty server policy to New Relic - 11 upvotes, $0
  172. CSRF: add item to victim's cart automatically (starbucks.com - updatecart) to Starbucks - 11 upvotes, $0
  173. Paragonie Airship Admin CSRF on Extensions Pages to Paragon Initiative Enterprises - 11 upvotes, $0
  174. CSRF - Modify Project Settings to Stripo Inc - 11 upvotes, $0
  175. CSRF to ATO at https://█████/user/account [HtUS] to U.S. Dept Of Defense - 10 upvotes, $500
  176. login csrf in analytics.mopub.com to Twitter - 10 upvotes, $280
  177. Found CSRF Vulnerability in https://support.rockstargames.com/ to Rockstar Games - 10 upvotes, $150
  178. CSRF logs the victim into attacker's account to Unikrn - 10 upvotes, $100
  179. CSRF in adding phrase. to Localize - 10 upvotes, $0
  180. CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) to Starbucks - 10 upvotes, $0
  181. CSRF на отправку вопроса на [games.mail.ru] to Mail.ru - 10 upvotes, $0
  182. CSRF - Modify Company Info to U.S. Dept Of Defense - 10 upvotes, $0
  183. The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. to Zomato - 10 upvotes, $0
  184. No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address to Stripo Inc - 10 upvotes, $0
  185. Add tweet to collection CSRF to Twitter - 9 upvotes, $560
  186. CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa to VK.com - 9 upvotes, $500
  187. [chaturbate.com] - CSRF Vulnerability on image upload to Chaturbate - 9 upvotes, $300
  188. CSRF in REPORT EMOTICON feature to Chaturbate - 9 upvotes, $250
  189. CSRF отредактировать карточки в посте у группы to VK.com - 9 upvotes, $100
  190. CSRF на добавление товара на продажу to Mail.ru - 9 upvotes, $100
  191. Cross Site Request Forgery (CSRF) to Mail.ru - 9 upvotes, $0
  192. CSRF Full Account Takeover to Concrete CMS - 9 upvotes, $0
  193. Twitter Disconnect CSRF to Zomato - 9 upvotes, $0
  194. CSRF Send a message at street-combats.mail.ru to Mail.ru - 9 upvotes, $0
  195. Account Takeover using Third party Auth CSRF to Weblate - 9 upvotes, $0
  196. CSRF to Mixmax - 9 upvotes, $0
  197. Login CSRF : Login Authentication Flaw to Weblate - 9 upvotes, $0
  198. CSRF in Report Lost or Stolen Page https://www.starbucks.com/account/card to Starbucks - 9 upvotes, $0
  199. CSRF Full Account Takeover - https://redtube.com/settings to Pornhub - 9 upvotes, $0
  200. vulnerable to Cross-site Request Forgery | Jira to MariaDB - 9 upvotes, $0
  201. CSRF | Ban or unban users in broadcast's chat to Valve - 9 upvotes, $0
  202. Missing CSRF Token On Remove Coupun From Cart to Starbucks - 9 upvotes, $0
  203. CSRF уязвимость позволяет взять беспроцентный кредит пользователю cfire.mail.ru to Mail.ru - 9 upvotes, $0
  204. csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json to Rockstar Games - 9 upvotes, $0
  205. CSRF Based XSS @ https://██████████ to U.S. Dept Of Defense - 9 upvotes, $0
  206. CSRF - Delete Account (Urgent) to U.S. Dept Of Defense - 9 upvotes, $0
  207. CSRF Delete chat invitation link. to Mail.ru - 8 upvotes, $100
  208. CSRF To change Email Notification Settings to Instacart - 8 upvotes, $50
  209. CSRF in the "Add restaurant picture" function to Zomato - 8 upvotes, $50
  210. CSRF in login form would led to account takeover to Ubiquiti Inc. - 8 upvotes, $0
  211. CSRF in account configuration leads to complete account compromise to OLX - 8 upvotes, $0
  212. account.ubnt.com CSRF to Ubiquiti Inc. - 8 upvotes, $0
  213. CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) to Starbucks - 8 upvotes, $0
  214. CSRF to change Account Security Keys on secure.login.gov to GSA Bounty - 8 upvotes, $0
  215. CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION) to Twitter - 8 upvotes, $0
  216. CSRF token fixation and potential account takeover to Khan Academy - 8 upvotes, $0
  217. Application Vulnerable to CSRF - Remove Invited user to Infogram - 8 upvotes, $0
  218. csrf token did not changed after login/logout many times to Liberapay - 8 upvotes, $0
  219. Missing CSRF Token On Add Coupon To Basket to Starbucks - 8 upvotes, $0
  220. Authenticated Cross-Site-Request-Forgery to Semmle - 8 upvotes, $0
  221. CSRF on https://market.my.games to Mail.ru - 8 upvotes, $0
  222. RCE in AirOS 6.2.0 Devices with CSRF bypass to Ubiquiti Inc. - 8 upvotes, $0
  223. Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN to Stripo Inc - 8 upvotes, $0
  224. Stored unauth XSS in calendar event via CSRF to Concrete CMS - 8 upvotes, $0
  225. Limited CSRF bypass. to HackerOne - 7 upvotes, $500
  226. Missing of csrf protection to Shopify - 7 upvotes, $500
  227. CSRF на "ловлю гостей" и раскрытие аудиотрансляции в частной группе to VK.com - 7 upvotes, $100
  228. Private Project Access Request Invitation Sent Via CSRF to Localize - 7 upvotes, $0
  229. [CRITICAL] CSRF leading to account take over to drchrono - 7 upvotes, $0
  230. CSRF vulnerability that allows an attacker to purge plugin metric data to New Relic - 7 upvotes, $0
  231. CSRF bypass + XSS on verkkopalvelu.tapiola.fi to LocalTapiola - 7 upvotes, $0
  232. CSRF to Connect third party Account to Weblate - 7 upvotes, $0
  233. CSRF For Adding Users to New Relic - 7 upvotes, $0
  234. [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network to Shopify - 7 upvotes, $0
  235. Imperfect CSRF To Overwrite Server Config at /go/admin/restful/configuration/file/POST/xml to GoCD - 7 upvotes, $0
  236. CSRF на загрузку изображения Pandao to Mail.ru - 7 upvotes, $0
  237. CSRF on /subscription_manage.php endpoint at allods.mail.ru to Mail.ru - 7 upvotes, $0
  238. CSRF to account takeover in https://█████/ to U.S. Dept Of Defense - 7 upvotes, $0
  239. CSRF on delete friend requests - Not protected with CSRF Token to XVIDEOS - 7 upvotes, $0
  240. CSRF to delete accounts [HtUS] to U.S. Dept Of Defense - 7 upvotes, $0
  241. CSRF in cancel group and private show requests to Chaturbate - 6 upvotes, $300
  242. CSRF in "send them an email and browser notification" feature to Chaturbate - 6 upvotes, $150
  243. CSRF @ configuration to Files.com - 6 upvotes, $100
  244. Full account takeover using CSRF and password reset to IRCCloud - 6 upvotes, $0
  245. Sign-up Form CSRF to Localize - 6 upvotes, $0
  246. Security Issue : CSRF Token Design Flaw to drchrono - 6 upvotes, $0
  247. CSRF to Legal Robot - 6 upvotes, $0
  248. CSRF - Delete all empty application policy to New Relic - 6 upvotes, $0
  249. CSRF Token Bypass in Account Deletion to GitLab - 6 upvotes, $0
  250. CSRF in delete advertisement on olx.com.eg to OLX - 6 upvotes, $0
  251. Logout CSRF to Weblate - 6 upvotes, $0
  252. CSRF : Reset API to Weblate - 6 upvotes, $0
  253. CSRF bug to Bumble - 6 upvotes, $0
  254. WordPress core - Denial of Service via Cross Site Request Forgery to WordPress - 6 upvotes, $0
  255. CSRF создание опроса от имени пользователя, зная id приложения. + небольшой флуд сообщениями на стену to VK.com - 6 upvotes, $0
  256. Account takeover due to CSRF in "Account details" option on █████████ to U.S. Dept Of Defense - 6 upvotes, $0
  257. CSRF при вводе промокода на Pandao to Mail.ru - 6 upvotes, $0
  258. Issue:Form does not contain an anti-CSRF token to Phabricator - 6 upvotes, $0
  259. Cross Site Request Forgery in auth in https://auth.ratelimited.me/ to RATELIMITED - 6 upvotes, $0
  260. ███████mill is vulnerable to cross site request forgery that leads to full account take over. to U.S. Dept Of Defense - 6 upvotes, $0
  261. Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover to Automattic - 6 upvotes, $0
  262. Data-Tags and the New HTML Sanitizer Subverts CSRF protection to Ruby on Rails - 5 upvotes, $2000
  263. CSRF - Add optional two factor mobile number to Slack - 5 upvotes, $500
  264. Critical : Account removing using CSRF attack to WePay - 5 upvotes, $350
  265. The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack to LocalTapiola - 5 upvotes, $300
  266. CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts to Bumble - 5 upvotes, $280
  267. CSRF. Удаление адресной книги, добавление контактов to Mail.ru - 5 upvotes, $250
  268. CSRF bypass on Submit Time sheet for Approval to Harvest - 5 upvotes, $150
  269. CSRF token leakage to Enter - 5 upvotes, $0
  270. Stealing CSRF Tokens to Keybase - 5 upvotes, $0
  271. [CRITICAL] CSRF leading to account take over to Zendesk - 5 upvotes, $0
  272. Unauthenticated CSRF(User can input any value for CSRF Token) to Veris - 5 upvotes, $0
  273. Create Multiple Account Using Similar X-CSRF token to Coinbase - 5 upvotes, $0
  274. CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER to Zomato - 5 upvotes, $0
  275. CSRF in Cloudflare login to Cloudflare Vulnerability Disclosure - 5 upvotes, $0
  276. Cross-site request forgery vulnerability on a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
  277. CSRF To Like/Unlike Photos to Zomato - 5 upvotes, $0
  278. Csrf in watch-unwatch projects to Weblate - 5 upvotes, $0
  279. CSRF на biz.mail.ru to Mail.ru - 5 upvotes, $0
  280. Request vulnerable to CSRF to Phabricator - 5 upvotes, $0
  281. CSRF in Profile Fields allows deleting any field in BuddyPress to WordPress - 5 upvotes, $0
  282. relap.io CSRF bypass on adding domain to use relap widgets to Mail.ru - 5 upvotes, $0
  283. CSRF at adding new role (user-management.service.newrelic.com) to New Relic - 5 upvotes, $0
  284. CSRF in updating username https://pw.mail.ru/ to Mail.ru - 5 upvotes, $0
  285. Account Takeover and Information update due to cross site request forgery via POST █████████/registration/my-account.cfm to U.S. Dept Of Defense - 5 upvotes, $0
  286. CodeQL query for finding CSRF vulnerabilities in Spring applications to GitHub Security Lab - 4 upvotes, $1800
  287. Leaking CSRF token over HTTP resulting in CSRF protection bypass to Coinbase - 4 upvotes, $1000
  288. Login CSRF using Twitter OAuth to Phabricator - 4 upvotes, $300
  289. Login CSRF can be bypassed (Similar approach to previous one). to IRCCloud - 4 upvotes, $100
  290. CSRF AT SUBSCRIBE TO LIST to Paragon Initiative Enterprises - 4 upvotes, $0
  291. The 'Create a New Account' action is vulnerable to CSRF to Coinbase - 4 upvotes, $0
  292. CSRF in changing settings of Basic Google Maps Placemarks to Ian Dunn - 4 upvotes, $0
  293. [allods.mail.ru] Cross-Site Request Forgery (Add-Item) to Mail.ru - 4 upvotes, $0
  294. CSRF : Lock and Unlock Translation to Weblate - 4 upvotes, $0
  295. CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org to Weblate - 4 upvotes, $0
  296. Cross-site request forgery (CSRF) vulnerability in a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
  297. csrf blogs.starbucks.com to Starbucks - 4 upvotes, $0
  298. Add movie or series CSRF to delight.im - 4 upvotes, $0
  299. CSRF-Token leak by request forgery to GitLab - 4 upvotes, $0
  300. CSRF in generating a new Personal Key to GSA Bounty - 4 upvotes, $0
  301. CSRF to make any user accept the invitation to the team to Liberapay - 4 upvotes, $0
  302. CSRF на удаление товара из корзины to Mail.ru - 4 upvotes, $0
  303. CSRF on https://apps.topcoder.com/wiki/users general and email preferences to Topcoder - 4 upvotes, $0
  304. [express-cart] Wide CSRF in application to Node.js third-party modules - 4 upvotes, $0
  305. CSRF at acknowledging an incident to New Relic - 4 upvotes, $0
  306. Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] to Weblate - 4 upvotes, $0
  307. CSRF on https://apps.topcoder.com/wiki/pages/doattachfile.action to Topcoder - 4 upvotes, $0
  308. Self XSS + CSRF Leads to Reflected XSS in https://████/ to U.S. Dept Of Defense - 4 upvotes, $0
  309. csrf to Slack - 3 upvotes, $0
  310. Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login to RelateIQ - 3 upvotes, $0
  311. Unwanted Spamming Using CSRF [LOGGED IN USER] to IRCCloud - 3 upvotes, $0
  312. Login CSRF in Secret.ly to Secret - 3 upvotes, $0
  313. CSRF to Account Take Over Bug to IRCCloud - 3 upvotes, $0
  314. Resubmitted with POC #18685 Password reset CSRF to RelateIQ - 3 upvotes, $0
  315. Notifications can mark as read by CSRF to Twitter - 3 upvotes, $0
  316. [mobile.twitter.com / twitter.com] CSRF protection bypass to Twitter - 3 upvotes, $0
  317. Internal GET SSRF via CSRF with Press This scan feature to Automattic - 3 upvotes, $0
  318. CSRF AT SELECTING ZAMATO HANDLE to Zomato - 3 upvotes, $0
  319. CSRF on eng.uber.com may lead to server-side compromise to Uber - 3 upvotes, $0
  320. Akismet Several CSRF vulnerabilities to Automattic - 3 upvotes, $0
  321. Newsroom.uber HTML form without CSRF protection to Uber - 3 upvotes, $0
  322. No CSRF validation on Account Monitors in Synthetics Block to New Relic - 3 upvotes, $0
  323. The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
  324. Login CSRF vulnerability to New Relic - 3 upvotes, $0
  325. CSRF csrftoken in cookies to Gratipay - 3 upvotes, $0
  326. Csrf on creating course to Udemy - 3 upvotes, $0
  327. CSRF - Changing the full name / adding a secondary email identity of an account via a GET request to Weblate - 3 upvotes, $0
  328. Cross-site request forgery (CSRF) vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
  329. CSRF token does not valided during blog comment to Paragon Initiative Enterprises - 3 upvotes, $0
  330. Same CSRF token is being used for deleting other platform login’s within an account and across other liberapay Account’s to Liberapay - 3 upvotes, $0
  331. CSRF ON EDITING NAME (OPTIONAL) to Liberapay - 3 upvotes, $0
  332. CSRF token manipulation in every possible form submits. NO server side Validation to Liberapay - 3 upvotes, $0
  333. Missing CSRF Protection in /stats EndPoint. to Chaturbate - 3 upvotes, $0
  334. XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique to Stripo Inc - 3 upvotes, $0
  335. CSRF on https://apps.topcoder.com/wiki/users/editmyprofile.action to Topcoder - 3 upvotes, $0
  336. Cross-Site Request Forgery (CSRF) in my.games API to Mail.ru - 3 upvotes, $0
  337. Cross-Site Request Forgery (CSRF) in comment update - api.my.games to Mail.ru - 3 upvotes, $0
  338. CSRF on comment post to WordPress - 3 upvotes, $0
  339. tracker.my.com information disclosure via csrf bypass to Mail.ru - 3 upvotes, $0
  340. Authenticity token doesnt expire after single use leading to CSRF to Omise - 3 upvotes, $0
  341. CSRF on https://apps.topcoder.com/wiki/users/editmyprofilepicture.action to Topcoder - 3 upvotes, $0
  342. CSRF in Demographic Settings with valid gdtoken of other account to Glassdoor - 3 upvotes, $0
  343. CSRF token fixation in facebook store app that can lead to adding attacker to victim acc to Shopify - 2 upvotes, $500
  344. CSRF on https://shopify.com/plus to Shopify - 2 upvotes, $500
  345. Sign up CSRF to IRCCloud - 2 upvotes, $100
  346. CSRF on "Set as primary" option on the accounts page to Coinbase - 2 upvotes, $100
  347. Marking notifications as read CSRF bug to HackerOne - 2 upvotes, $100
  348. The csrf token remains same after user logs in to Enter - 2 upvotes, $50
  349. User Account Creation CSRF to IRCCloud - 2 upvotes, $0
  350. Login CSRF using Twitter oauth to Factlink - 2 upvotes, $0
  351. logout csrf app.simplenote.com/logout to Automattic - 2 upvotes, $0
  352. HTML form without CSRF protection to Automattic - 2 upvotes, $0
  353. CSRF vulnerability on https://sehacure.slack.com/account/settings to Slack - 2 upvotes, $0
  354. csrf on password change functionality to Cloudflare Vulnerability Disclosure - 2 upvotes, $0
  355. The product/status method CSRF to DigitalSellz - 2 upvotes, $0
  356. CSRF in apps.owncloud.com to ownCloud - 2 upvotes, $0
  357. Обход защиты от csrf-ок в m.ok.ru to ok.ru - 2 upvotes, $0
  358. Using GET method for account login with CSRF token leaking to external sites Via Referer. to Zaption - 2 upvotes, $0
  359. [HIGH RISK] CSRF could potentially delete a zendesk subdomain. to Zendesk - 2 upvotes, $0
  360. don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
  361. Lost Password CSRF to Nextcloud - 2 upvotes, $0
  362. Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1 to Concrete CMS - 2 upvotes, $0
  363. Full path disclosure when CSRF validation failed to Paragon Initiative Enterprises - 2 upvotes, $0
  364. Full Path Disclosure by removing CSRF token to Paragon Initiative Enterprises - 2 upvotes, $0
  365. CSRF with redeem coupon request to Instacart - 2 upvotes, $0
  366. CSRF Add Album On onpatient.com to drchrono - 2 upvotes, $0
  367. CSRF token validation is missing to Nextcloud - 2 upvotes, $0
  368. Logout CSRF to delight.im - 2 upvotes, $0
  369. Login Cross Site Request Forgery to Infogram - 2 upvotes, $0
  370. CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 2 upvotes, $0
  371. CSRF header is sent to external websites when using data-remote forms to Ruby on Rails - 2 upvotes, $0
  372. CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts. to Rockstar Games - 2 upvotes, $0
  373. Logout page does not prevent CSRF to Courier - 2 upvotes, $0
  374. If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposur to Yelp - 2 upvotes, $0
  375. rails-ujs will send CSRF tokens to other origins to Ruby on Rails - 1 upvotes, $1000
  376. CSRF in Connecting Pinterest Account to Shopify - 1 upvotes, $500
  377. CSRF on email address operations. Also performing unintended operations. to WePay - 1 upvotes, $150
  378. CSRF on add comment section to Slack - 1 upvotes, $0
  379. HTML Form Without CSRF protection to Localize - 1 upvotes, $0
  380. No Cross-Site Request Forgery protection at multiple locations to Localize - 1 upvotes, $0
  381. Group Deletion Via CSRF to Localize - 1 upvotes, $0
  382. Group Creation Via CSRF to Localize - 1 upvotes, $0
  383. Private Project Access Request Accpeted Via CSRF to Localize - 1 upvotes, $0
  384. CSRF - Adding/Removing items to cart - shop.khanacademy.org to Khan Academy - 1 upvotes, $0
  385. Projects Watch or Notifications Settings Change Via CSRF to Localize - 1 upvotes, $0
  386. Sign up CSRF to Factlink - 1 upvotes, $0
  387. CSRF token valid even after the session logout of a particular user to Phabricator - 1 upvotes, $0
  388. CSRF and No password requirement in this URL Billing Info to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
  389. CSRF - Disabling orders at https://panel.stopthehacker.com/manage/disable-order/order/ID to StopTheHacker - 1 upvotes, $0
  390. CSRF & Nonce Token Weak Implementation to WePay - 1 upvotes, $0
  391. Login CSRF to Mavenlink - 1 upvotes, $0
  392. System Status Update CSRF to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
  393. Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login to Mavenlink - 1 upvotes, $0
  394. CSRF bypass to Vimeo - 1 upvotes, $0
  395. CSRF token from another valid user session accepted to Mobile Vikings - 1 upvotes, $0
  396. A csrf vulnerability which add and remove a favorite team from a user account. to Yahoo! - 1 upvotes, $0
  397. No CSRF protection when creating new community points actions, and related stored XSS to Concrete CMS - 1 upvotes, $0
  398. Login CSRF using Google OAuth to ThisData - 1 upvotes, $0
  399. owncloud.com: Account Compromise Through CSRF to ownCloud - 1 upvotes, $0
  400. The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF to Paragon Initiative Enterprises - 1 upvotes, $0
  401. ProBlog 2.6.6 CSRF Exploit to Concrete CMS - 1 upvotes, $0
  402. XSS and CSRF in Zomato Contact form to Zomato - 1 upvotes, $0
  403. Missing Server Side Validation of CSRF Middleware Token in Change Password Request to Veris - 1 upvotes, $0
  404. CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
  405. No csrf protection on logout to Boozt Fashion AB - 1 upvotes, $0
  406. [community.informatica.com] - CSRF in Private Messages allows to move user's messages to Trash to Informatica - 1 upvotes, $0
  407. Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token to Udemy - 1 upvotes, $0
  408. Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
  409. CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva to Cuvva - 1 upvotes, $0
  410. Login csrf. to Gratipay - 1 upvotes, $0
  411. Csrf bug on signup session to Coinbase - 1 upvotes, $0
  412. The csrf token remains same after user logs in to Liberapay - 1 upvotes, $0
  413. Csrf token does not meet security design to Liberapay - 1 upvotes, $0
  414. Cross-Site Request Forgery to Mail.ru - 1 upvotes, $0
  415. CSRF allows attacker to manage customer's shopping cart. to TomTom - 1 upvotes, $0
  416. Social Oauth Disconnect CSRF at znakcup.ru to Mail.ru - 1 upvotes, $0
  417. CSRF in newsletter form to Sifchain - 1 upvotes, $0
  418. CSRF - Modify User Settings with one click - Account TakeOver to U.S. Dept Of Defense - 1 upvotes, $0
  419. Login CSRF to IRCCloud - 0 upvotes, $100
  420. XSRF token problem to RelateIQ - 0 upvotes, $0
  421. HTML Form without CSRF protection to IRCCloud - 0 upvotes, $0
  422. CSRF - Creating accounts to IRCCloud - 0 upvotes, $0
  423. Change user settings through CSRF to Localize - 0 upvotes, $0
  424. CSRF in function "Set as primary" on accounts page to Coinbase - 0 upvotes, $0
  425. No CSRF token used in Phone Verification POST to Mail.ru - 0 upvotes, $0
  426. Log Out Cross site Request Forgery to IRCCloud - 0 upvotes, $0
  427. NO CSRF token found on user details update to FanFootage - 0 upvotes, $0
  428. HTML Form Without CSRF Protection Vulnerability to Uzbey - 0 upvotes, $0
  429. CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages to Yahoo! - 0 upvotes, $0
  430. CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages to Yahoo! - 0 upvotes, $0
  431. Typical form vulnerable to csrf attack to WePay - 0 upvotes, $0
  432. CSRF in crashlytics.com to Twitter - 0 upvotes, $0
  433. CSRF (Make email primary) may lead to account compromise to WePay - 0 upvotes, $0
  434. HTML form without CSRF protection at http://try.crashlytics.com/enterprise/ to Twitter - 0 upvotes, $0
  435. No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group to Concrete CMS - 0 upvotes, $0
  436. Csrf near report abuse meme to Imgur - 0 upvotes, $0
  437. The csrf token remains same after user logs in to ownCloud - 0 upvotes, $0
  438. apps.owncloud.com: CSRF change privacy settings to ownCloud - 0 upvotes, $0
  439. CSRF Token to Udemy - 0 upvotes, $0
  440. CSRF Issue to Legal Robot - 0 upvotes, $0
  441. CSRF bug on password change to Coinbase - 0 upvotes, $0
  442. CSRF Token Design Flaw to Udemy - 0 upvotes, $0
  443. Logout CSRF to WakaTime - 0 upvotes, $0
  444. Cross site request forgery to Hiro - 0 upvotes, $0