Skip to content

Latest commit

 

History

History
457 lines (456 loc) · 58.3 KB

TOPCSRF.md

File metadata and controls

457 lines (456 loc) · 58.3 KB
Raw

Top CSRF reports from HackerOne:

  1. CSRF on connecting Paypal as Payment Provider to Shopify - 292 upvotes, $500
  2. Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $0
  3. Periscope android app deeplink leads to CSRF in follow action to X (Formerly Twitter) - 208 upvotes, $0
  4. Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes, $1100
  5. Site wide CSRF affecting both job seeker and Employer account on glassdoor.com to Glassdoor - 155 upvotes, $0
  6. Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone to HackerOne - 147 upvotes, $0
  7. CSRF leads to a stored self xss to Imgur - 142 upvotes, $0
  8. CSRF protection bypass in GitHub Enterprise management console to GitHub - 140 upvotes, $10000
  9. Slack integration setup lacks CSRF protection to HackerOne - 137 upvotes, $2500
  10. Lack of CSRF header validation at https://g-mail.grammarly.com/profile to Grammarly - 131 upvotes, $0
  11. CSRF token validation system is disabled on Stripe Dashboard to Stripe - 107 upvotes, $0
  12. Cross-Site Request Forgery to ownCloud - 104 upvotes, $0
  13. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 102 upvotes, $0
  14. CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ to Rockstar Games - 99 upvotes, $0
  15. CSRF to HTML Injection in Comments to WordPress - 94 upvotes, $0
  16. One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com to Logitech - 86 upvotes, $200
  17. CSRF in Account Deletion feature (https://www.flickr.com/account/delete) to Flickr - 84 upvotes, $0
  18. CSRF Account Takeover to TikTok - 84 upvotes, $0
  19. Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account to Discourse - 83 upvotes, $0
  20. CSRF token validation system is disabled on Stripe Dashboard to Stripe - 81 upvotes, $2500
  21. [CRITICAL] Full account takeover using CSRF to X (Formerly Twitter) - 80 upvotes, $0
  22. Delete any user's added Email,Telephone,Fax,Address,Skype via csrf in (https://academy.acronis.com/) to Acronis - 74 upvotes, $0
  23. CSRF protection on OIDC login is broken to Nextcloud - 72 upvotes, $500
  24. Login CSRF vulnerability on hackerone.com to HackerOne - 70 upvotes, $500
  25. Japan - CSRF in webapp.starbucks.co.jp with user interaction could leak an access token if the user was not using Chrome to Starbucks - 70 upvotes, $0
  26. CSRF on /api/graphql allows executing mutations through GET requests to GitLab - 69 upvotes, $3370
  27. CSRF protection bypass on TikTok Webcast Endpoints to TikTok - 68 upvotes, $2500
  28. CSRF protection bypass on any Django powered site via Google Analytics to Django - 68 upvotes, $0
  29. CSRF on Periscope Web OAuth authorization endpoint to X (Formerly Twitter) - 66 upvotes, $0
  30. CSRF to change password to Nord Security - 61 upvotes, $0
  31. [Admin Panel] CSRF to resume/pause runner to GitLab - 58 upvotes, $500
  32. CSRF Trial 14 days express subscription to Instacart - 55 upvotes, $0
  33. Periscope iOS app CSRF in follow action due to deeplink to X (Formerly Twitter) - 53 upvotes, $2940
  34. CSRF + XSS REFLECT to Daimler Truck - 53 upvotes, $0
  35. CSRF combined with IDOR within Document Converter exposes files to Open-Xchange - 52 upvotes, $500
  36. CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $0
  37. CSRF to delete a pet on ██████ to Mars - 49 upvotes, $0
  38. apps.shopify.com - CSRF token leakage through Google Analytics to Shopify - 47 upvotes, $0
  39. [CRITICAL] Full account takeover using CSRF to Bumble - 45 upvotes, $0
  40. Cross-site request forgery vulnerability resulting in the deletion of a user's account. to ██████ - 44 upvotes, $0
  41. CSRF that makes any linkedin user follow attacker controlled accounts by simply clicking https://www.linkedin.com/comm/mynetwork/discovery-see-all/* to LinkedIn - 44 upvotes, $0
  42. Login CSRF : Login Authentication Flaw on https://liberapay.com/ to Liberapay - 43 upvotes, $0
  43. CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings] to Logitech - 42 upvotes, $0
  44. (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation to HackerOne - 41 upvotes, $0
  45. Authentication token and CSRF token bypass to Enjin - 39 upvotes, $300
  46. Account takeover through CSRF in http://███████/██████████/default.asp to U.S. Dept Of Defense - 39 upvotes, $0
  47. CSRF on api.my.games due to improper validation of token allows an attacker to delete other users notifications to Mail.ru - 38 upvotes, $100
  48. CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' to Rockstar Games - 38 upvotes, $0
  49. CSRF on cards API to X (Formerly Twitter) - 38 upvotes, $0
  50. CSS Injection on /embed/ via bgcolor parameter leaks user's CSRF token and allows for XSS to Chaturbate - 38 upvotes, $0
  51. Path traversal leading to limited CSRF on GET requests on two endpoints to HackerOne - 38 upvotes, $0
  52. CSRF Vulnerability at https://aw.my.com/ to Mail.ru - 38 upvotes, $0
  53. Revocation API Token by Bypassing The XSRF Token to Enjin - 37 upvotes, $1500
  54. CSRF leads to account deactivation of users to Evernote - 36 upvotes, $300
  55. CSRF To Add New App In Developer Account And Bypassing Json Format to TikTok - 36 upvotes, $200
  56. CSRF on https://www.niche.co leads to "account disconnection" to X (Formerly Twitter) - 35 upvotes, $0
  57. Web cache poisoning leads to disclosure of CSRF token and sensitive information to Smule - 35 upvotes, $0
  58. HackerOne reports escalation to JIRA is CSRF vulnerable to HackerOne - 34 upvotes, $500
  59. Disable 2FA via CSRF (Leads to 2FA Bypass) to Mail.ru - 34 upvotes, $0
  60. CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit ! to Reddit - 34 upvotes, $0
  61. Timing attack towards endpoints on the web without CSRF to HackerOne - 33 upvotes, $0
  62. CSRF on launchpad.37signals.com OAuth2 authorization endpoint to Basecamp - 33 upvotes, $0
  63. Exfiltrate GDrive access token using CSRF to Dropbox - 32 upvotes, $1728
  64. Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host to GSA Bounty - 32 upvotes, $0
  65. Firmware download/install vulnerable to CSRF to Ubiquiti Inc. - 32 upvotes, $0
  66. Cross site scripting - XSRF Token to Nextcloud - 32 upvotes, $0
  67. gifts.flocktory.com/phpmyadmin is vulnerable csrf to QIWI - 32 upvotes, $0
  68. CSRF that makes any user send invitations to the attacker by simply clicking on a link. to LinkedIn - 32 upvotes, $0
  69. Self-Stored XSS - Chained with login/logout CSRF to Zomato - 31 upvotes, $300
  70. Cross-Site Request Forgery (CSRF) to Instacart - 31 upvotes, $0
  71. Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg] to Unikrn - 31 upvotes, $0
  72. CSRF in AppSearch allows creation of "curations" to Elastic - 31 upvotes, $0
  73. Site-wide CSRF on eats.uber.com to Uber - 30 upvotes, $6000
  74. CSRF at [Apply to this program] that lead to submit your request automatic with out any validations to HackerOne - 30 upvotes, $0
  75. Site-wide CSRF at Atavist to Automattic - 30 upvotes, $0
  76. Account takeover just through csrf in https://booking.qiwi.kz/profile to QIWI - 30 upvotes, $0
  77. Account takeover through multistage CSRF at https://autochoice.fas.gsa.gov/AutoChoice/changeQAOktaAnswer and ../AutoChoice/changePwOktaAnswer to U.S. General Services Administration - 30 upvotes, $0
  78. Authentication CSRF resulting in unauthorized account access on Krisp app to Krisp - 30 upvotes, $0
  79. Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage to Shopify - 29 upvotes, $800
  80. CSRF in Changing User Verification Email to TikTok - 29 upvotes, $500
  81. CSRF On Connect Account With Github Lead To Account Takeover to Vercel - 29 upvotes, $0
  82. Site-wide CSRF on Safari due to CORS misconfiguration (not localhost) to CS Money - 28 upvotes, $300
  83. JSON CSRF on POST Heartbeats API to WakaTime - 28 upvotes, $0
  84. OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing to Vimeo - 28 upvotes, $0
  85. CSRF + XSS leads to ATO to Mail.ru - 28 upvotes, $0
  86. CSRF на загрузку аудиозаписей to VK.com - 28 upvotes, $0
  87. [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status to Shopify - 28 upvotes, $0
  88. Argo CD CSRF leads to Kubernetes cluster compromise to Internet Bug Bounty - 27 upvotes, $4660
  89. CSRF Vulnerability allows attackers to steal SocialClub private token. to Rockstar Games - 27 upvotes, $0
  90. CSRF vulnerability that allows an attacker to modify encryption settings to Nextcloud - 27 upvotes, $0
  91. CSRF in seller-us.tiktok.com/profile/account-setting/delegation-login to TikTok - 27 upvotes, $0
  92. TikTok Session Donation CSRF via QR code login to TikTok - 26 upvotes, $111
  93. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 26 upvotes, $0
  94. Norway - store.starbucks.no - CSRF on email change to Starbucks - 26 upvotes, $0
  95. CSRF with logout action to Weblate - 26 upvotes, $0
  96. CSRF at https://chatstory.pixiv.net/imported to pixiv - 25 upvotes, $500
  97. Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities to Uber - 25 upvotes, $500
  98. CSRF on draft message creation in tel.mail.ru to Mail.ru - 25 upvotes, $0
  99. [www.drive2.ru] CSRF through FCTX token bypass to DRIVE.NET, Inc. - 25 upvotes, $0
  100. CSRF Vulnerability on post creation page /community/create-post.json to Rockstar Games - 25 upvotes, $0
  101. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 25 upvotes, $0
  102. FileUpload Plugin: CSRF (delete all attached files) to Vanilla - 24 upvotes, $300
  103. CSRF and probable account takeover on https://www.niche.co to X (Formerly Twitter) - 23 upvotes, $0
  104. CSRF Account Deletion on ███ Website to U.S. Dept Of Defense - 23 upvotes, $0
  105. CSRF in github integration to Slack - 22 upvotes, $500
  106. Cross-Site Request Forgery (CSRF) to Harvest - 22 upvotes, $0
  107. Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) to Starbucks - 22 upvotes, $0
  108. H1514 CSRF in Domain transfer allows adding your domain to other user's account to Shopify - 22 upvotes, $0
  109. CSRF на установку своей почты к аккаунту. to VK.com - 22 upvotes, $0
  110. [CSRF] No Csrf protection against sending invitation to join the team. to Lark Technologies - 22 upvotes, $0
  111. CSRF to Information disclosure on password reset to Mozilla Critical Services - 22 upvotes, $0
  112. No CSRF protection when adding an item to cart to Mars - 22 upvotes, $0
  113. CSRF on TikTok Ads Portal to TikTok - 21 upvotes, $1000
  114. UniFi Video Server web interface Configuration Restore CSRF leading to full application compromise to Ubiquiti Inc. - 21 upvotes, $0
  115. CSRF vulnerability in Nextcloud Desktop Client 3.6.1 on Windows when clicking malicious link to Nextcloud - 21 upvotes, $0
  116. User In The Same Center Can Create CSRF To Change The Information About Business to TikTok - 20 upvotes, $147
  117. Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites to Starbucks - 20 upvotes, $0
  118. Wordpress 4.7 - CSRF -> HTTP SSRF any private ip:port and basic-auth to WordPress - 20 upvotes, $0
  119. CSRF - Close Account to U.S. Dept Of Defense - 20 upvotes, $0
  120. CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger to Internet Bug Bounty - 20 upvotes, $0
  121. CSRF login to HackerOne - 19 upvotes, $0
  122. CSRF in Raffles Ticket Purchasing to Unikrn - 19 upvotes, $0
  123. Arbitrary change of blog's background image via CSRF to WordPress - 19 upvotes, $0
  124. CSRF in changing password after using reset password link to OpenMage - 19 upvotes, $0
  125. SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi) to LocalTapiola - 18 upvotes, $1350
  126. Общий CSRF токен для сообщений сообществ, или как подставить соседа-редактора to VK.com - 18 upvotes, $300
  127. Possible CSRF during joining report as participant to HackerOne - 18 upvotes, $0
  128. [tumblr.com] CSRF in /svc/user/filtered_content to Automattic - 18 upvotes, $0
  129. Self stored Xss + Login Csrf to U.S. Dept Of Defense - 18 upvotes, $0
  130. CSRF to delete a pet to Mars - 18 upvotes, $0
  131. CSRF - Adding unlimited number of saved items via GET request to Lyst - 17 upvotes, $150
  132. CSRF Проверить является ли пользователь админом группы. to VK.com - 17 upvotes, $100
  133. CSRF log victim into the attacker account to Unikrn - 17 upvotes, $0
  134. CSRF in attach phone API endpoint on delivery-club.ru to Mail.ru - 17 upvotes, $0
  135. Self XSS combine CSRF at https://████████/index.php to U.S. Dept Of Defense - 17 upvotes, $0
  136. CSRF allows to test email forwarding to HackerOne - 17 upvotes, $0
  137. Cross-Site Request Forgery (CSRF) to xss to MTN Group - 17 upvotes, $0
  138. Проверяем принадлеженость email и номера телефона к определенному юзеру / CSRF на смену номера для некоторых пользователей to VK.com - 16 upvotes, $300
  139. CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction to Snapchat - 16 upvotes, $250
  140. CSRF allows attacker to delete item from customer's "Postilaatikko" to LocalTapiola - 16 upvotes, $0
  141. CSRF Add user templates to Mavenlink - 16 upvotes, $0
  142. CSRF in Importing CSV files [app.taxjar.com] to Stripe - 16 upvotes, $0
  143. Mobile Reflect XSS / CSRF at Advertisement Section on Search page to Pornhub - 15 upvotes, $200
  144. Twitter Disconnect CSRF to Shopify - 15 upvotes, $0
  145. [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info' to Mail.ru - 15 upvotes, $0
  146. CSRF token fixation in Sign in with Google to Harvest - 15 upvotes, $0
  147. CSRF to add admin [wordpress] to WordPress - 15 upvotes, $0
  148. https://fundl.qiwi.com CSRF на подтверждении sms to QIWI - 15 upvotes, $0
  149. Отсутствие CSRF ключа на функции Закрытый Профиль. to ok.ru - 15 upvotes, $0
  150. CSRF to account takeover in https://███████.mil/ to U.S. Dept Of Defense - 15 upvotes, $0
  151. CSRF Bypassed on Logout Endpoint to Enjin - 15 upvotes, $0
  152. Posting to Twitter CSRF on php/post_twitter_authenticate.php to Zomato - 14 upvotes, $50
  153. CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public to Vimeo - 14 upvotes, $0
  154. CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection to Ubiquiti Inc. - 14 upvotes, $0
  155. CSRF on change video thumbnail at https://chaturbate.com to Chaturbate - 14 upvotes, $0
  156. csrf bypass using flash file + 307 redirect method at plugins endpoint to Stripo Inc - 14 upvotes, $0
  157. CSRF for deleting videos to TikTok - 14 upvotes, $0
  158. CSRF in https://███ to U.S. Dept Of Defense - 14 upvotes, $0
  159. [https://geekbrains.ru/profile] - authenticity_token not tied to user session leads to CSRF attacks to Mail.ru - 14 upvotes, $0
  160. CSRF на calendar.mail.ru to Mail.ru - 13 upvotes, $250
  161. CSRF on lootdog.io to Mail.ru - 13 upvotes, $100
  162. CSRF в виджетах to VK.com - 13 upvotes, $100
  163. Bypassing CSRF Token On Reply Message & Send Message to Reverb.com - 13 upvotes, $0
  164. CSRF на лайк к отзыву (Pandao) to Mail.ru - 13 upvotes, $0
  165. CSRF on developer.zendesk.com via Cache Deception to Zendesk - 13 upvotes, $0
  166. CSRF to Stored HTML injection at https://www.█████ to U.S. Dept Of Defense - 13 upvotes, $0
  167. Bypassing SOP with XSS on account.my.games leading to steal CSRF token and user information to Mail.ru - 13 upvotes, $0
  168. Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF to Uber - 12 upvotes, $500
  169. CSRF to ATO at https://█████/user/account [HtUS] to U.S. Dept Of Defense - 12 upvotes, $500
  170. CSRF possible when SOP Bypass/UXSS is available to LocalTapiola - 12 upvotes, $50
  171. Possible CSRF during external programs to HackerOne - 12 upvotes, $0
  172. CSRF on signup endpoint (auto-api.yelp.com) to Yelp - 12 upvotes, $0
  173. Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl to Radancy - 12 upvotes, $0
  174. Triggering RCE using XSS to bypass CSRF in PowerBeam M5 300 to Ubiquiti Inc. - 12 upvotes, $0
  175. CSRF - Modify Project Settings to Stripo Inc - 12 upvotes, $0
  176. CSRF to Cross-site Scripting (XSS) to U.S. Dept Of Defense - 12 upvotes, $0
  177. CSRF в m.vk.com to VK.com - 12 upvotes, $0
  178. Widespread CSRF on authenticated POST endpoints to UPchieve - 12 upvotes, $0
  179. CSRF possible when SOP Bypass/UXSS is available to HackerOne - 11 upvotes, $2500
  180. CSRF на сброс ключа трансляции. to VK.com - 11 upvotes, $100
  181. CSRF Добавить просмотр к записи без ведома пользователя. to VK.com - 11 upvotes, $100
  182. CSRF logs the victim into attacker's account to Unikrn - 11 upvotes, $100
  183. CSRF на покупку товара https://lootdog.io/ to Mail.ru - 11 upvotes, $100
  184. CSRF in adding phrase. to Localize - 11 upvotes, $0
  185. CSRF in Udemy.com to Udemy - 11 upvotes, $0
  186. CSRF- delete all empty server policy to New Relic - 11 upvotes, $0
  187. CSRF: add item to victim's cart automatically (starbucks.com - updatecart) to Starbucks - 11 upvotes, $0
  188. Paragonie Airship Admin CSRF on Extensions Pages to Paragon Initiative Enterprises - 11 upvotes, $0
  189. CSRF - Delete Account (Urgent) to U.S. Dept Of Defense - 11 upvotes, $0
  190. Add tweet to collection CSRF to X (Formerly Twitter) - 10 upvotes, $560
  191. CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa to VK.com - 10 upvotes, $500
  192. login csrf in analytics.mopub.com to X (Formerly Twitter) - 10 upvotes, $280
  193. Found CSRF Vulnerability in https://support.rockstargames.com/ to Rockstar Games - 10 upvotes, $150
  194. CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) to Starbucks - 10 upvotes, $0
  195. CSRF на отправку вопроса на [games.mail.ru] to Mail.ru - 10 upvotes, $0
  196. CSRF - Modify Company Info to U.S. Dept Of Defense - 10 upvotes, $0
  197. RCE in AirOS 6.2.0 Devices with CSRF bypass to Ubiquiti Inc. - 10 upvotes, $0
  198. The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking. to Zomato - 10 upvotes, $0
  199. No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address to Stripo Inc - 10 upvotes, $0
  200. CSRF to delete accounts [HtUS] to U.S. Dept Of Defense - 10 upvotes, $0
  201. [chaturbate.com] - CSRF Vulnerability on image upload to Chaturbate - 9 upvotes, $300
  202. CSRF in REPORT EMOTICON feature to Chaturbate - 9 upvotes, $250
  203. CSRF отредактировать карточки в посте у группы to VK.com - 9 upvotes, $100
  204. CSRF на добавление товара на продажу to Mail.ru - 9 upvotes, $100
  205. CSRF in login form would led to account takeover to Ubiquiti Inc. - 9 upvotes, $0
  206. Cross Site Request Forgery (CSRF) to Mail.ru - 9 upvotes, $0
  207. CSRF Full Account Takeover to Concrete CMS - 9 upvotes, $0
  208. Twitter Disconnect CSRF to Zomato - 9 upvotes, $0
  209. account.ubnt.com CSRF to Ubiquiti Inc. - 9 upvotes, $0
  210. CSRF Send a message at street-combats.mail.ru to Mail.ru - 9 upvotes, $0
  211. Account Takeover using Third party Auth CSRF to Weblate - 9 upvotes, $0
  212. CSRF to Mixmax - 9 upvotes, $0
  213. Login CSRF : Login Authentication Flaw to Weblate - 9 upvotes, $0
  214. CSRF in Report Lost or Stolen Page https://www.starbucks.com/account/card to Starbucks - 9 upvotes, $0
  215. CSRF Full Account Takeover - https://redtube.com/settings to Pornhub - 9 upvotes, $0
  216. vulnerable to Cross-site Request Forgery | Jira to MariaDB - 9 upvotes, $0
  217. CSRF | Ban or unban users in broadcast's chat to Valve - 9 upvotes, $0
  218. Missing CSRF Token On Remove Coupun From Cart to Starbucks - 9 upvotes, $0
  219. CSRF уязвимость позволяет взять беспроцентный кредит пользователю cfire.mail.ru to Mail.ru - 9 upvotes, $0
  220. csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json to Rockstar Games - 9 upvotes, $0
  221. CSRF Based XSS @ https://██████████ to U.S. Dept Of Defense - 9 upvotes, $0
  222. Stored unauth XSS in calendar event via CSRF to Concrete CMS - 9 upvotes, $0
  223. Limited CSRF bypass. to HackerOne - 8 upvotes, $500
  224. Missing of csrf protection to Shopify - 8 upvotes, $500
  225. CSRF Delete chat invitation link. to Mail.ru - 8 upvotes, $100
  226. CSRF in the "Add restaurant picture" function to Zomato - 8 upvotes, $50
  227. Private Project Access Request Invitation Sent Via CSRF to Localize - 8 upvotes, $0
  228. CSRF To change Email Notification Settings to Instacart - 8 upvotes, $0
  229. CSRF in account configuration leads to complete account compromise to OLX - 8 upvotes, $0
  230. CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) to Starbucks - 8 upvotes, $0
  231. CSRF to change Account Security Keys on secure.login.gov to GSA Bounty - 8 upvotes, $0
  232. CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION) to X (Formerly Twitter) - 8 upvotes, $0
  233. CSRF token fixation and potential account takeover to Khan Academy - 8 upvotes, $0
  234. Application Vulnerable to CSRF - Remove Invited user to Infogram - 8 upvotes, $0
  235. csrf token did not changed after login/logout many times to Liberapay - 8 upvotes, $0
  236. Missing CSRF Token On Add Coupon To Basket to Starbucks - 8 upvotes, $0
  237. Authenticated Cross-Site-Request-Forgery to Semmle - 8 upvotes, $0
  238. CSRF on https://market.my.games to Mail.ru - 8 upvotes, $0
  239. Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN to Stripo Inc - 8 upvotes, $0
  240. CSRF на "ловлю гостей" и раскрытие аудиотрансляции в частной группе to VK.com - 7 upvotes, $100
  241. Full account takeover using CSRF and password reset to IRCCloud - 7 upvotes, $0
  242. Sign-up Form CSRF to Localize - 7 upvotes, $0
  243. [CRITICAL] CSRF leading to account take over to drchrono - 7 upvotes, $0
  244. CSRF to Legal Robot - 7 upvotes, $0
  245. CSRF vulnerability that allows an attacker to purge plugin metric data to New Relic - 7 upvotes, $0
  246. CSRF bypass + XSS on verkkopalvelu.tapiola.fi to LocalTapiola - 7 upvotes, $0
  247. CSRF to Connect third party Account to Weblate - 7 upvotes, $0
  248. CSRF For Adding Users to New Relic - 7 upvotes, $0
  249. [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network to Shopify - 7 upvotes, $0
  250. Imperfect CSRF To Overwrite Server Config at /go/admin/restful/configuration/file/POST/xml to GoCD - 7 upvotes, $0
  251. CSRF на загрузку изображения Pandao to Mail.ru - 7 upvotes, $0
  252. Issue:Form does not contain an anti-CSRF token to Phabricator - 7 upvotes, $0
  253. CSRF on /subscription_manage.php endpoint at allods.mail.ru to Mail.ru - 7 upvotes, $0
  254. CSRF to account takeover in https://█████/ to U.S. Dept Of Defense - 7 upvotes, $0
  255. CSRF on delete friend requests - Not protected with CSRF Token to XVIDEOS - 7 upvotes, $0
  256. CSRF in cancel group and private show requests to Chaturbate - 6 upvotes, $300
  257. CSRF in "send them an email and browser notification" feature to Chaturbate - 6 upvotes, $150
  258. Login CSRF using Twitter OAuth to Phabricator - 6 upvotes, $0
  259. CSRF token leakage to Enter - 6 upvotes, $0
  260. Stealing CSRF Tokens to Keybase - 6 upvotes, $0
  261. [CRITICAL] CSRF leading to account take over to Zendesk - 6 upvotes, $0
  262. Security Issue : CSRF Token Design Flaw to drchrono - 6 upvotes, $0
  263. CSRF - Delete all empty application policy to New Relic - 6 upvotes, $0
  264. CSRF Token Bypass in Account Deletion to GitLab - 6 upvotes, $0
  265. CSRF in delete advertisement on olx.com.eg to OLX - 6 upvotes, $0
  266. Logout CSRF to Weblate - 6 upvotes, $0
  267. CSRF : Reset API to Weblate - 6 upvotes, $0
  268. CSRF @ configuration to Files.com - 6 upvotes, $0
  269. CSRF bug to Bumble - 6 upvotes, $0
  270. WordPress core - Denial of Service via Cross Site Request Forgery to WordPress - 6 upvotes, $0
  271. Data-Tags and the New HTML Sanitizer Subverts CSRF protection to Ruby on Rails - 6 upvotes, $0
  272. CSRF создание опроса от имени пользователя, зная id приложения. + небольшой флуд сообщениями на стену to VK.com - 6 upvotes, $0
  273. Account takeover due to CSRF in "Account details" option on █████████ to U.S. Dept Of Defense - 6 upvotes, $0
  274. CSRF при вводе промокода на Pandao to Mail.ru - 6 upvotes, $0
  275. Cross Site Request Forgery in auth in https://auth.ratelimited.me/ to RATELIMITED - 6 upvotes, $0
  276. CSRF at adding new role (user-management.service.newrelic.com) to New Relic - 6 upvotes, $0
  277. ███████mill is vulnerable to cross site request forgery that leads to full account take over. to U.S. Dept Of Defense - 6 upvotes, $0
  278. Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover to Automattic - 6 upvotes, $0
  279. Leaking CSRF token over HTTP resulting in CSRF protection bypass to Coinbase - 5 upvotes, $1000
  280. CSRF - Add optional two factor mobile number to Slack - 5 upvotes, $500
  281. Critical : Account removing using CSRF attack to WePay - 5 upvotes, $350
  282. CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts to Bumble - 5 upvotes, $280
  283. CSRF bypass on Submit Time sheet for Approval to Harvest - 5 upvotes, $150
  284. Login CSRF can be bypassed (Similar approach to previous one). to IRCCloud - 5 upvotes, $0
  285. Unauthenticated CSRF(User can input any value for CSRF Token) to Veris - 5 upvotes, $0
  286. Create Multiple Account Using Similar X-CSRF token to Coinbase - 5 upvotes, $0
  287. The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack to LocalTapiola - 5 upvotes, $0
  288. CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER to Zomato - 5 upvotes, $0
  289. CSRF in Cloudflare login to Cloudflare Vulnerability Disclosure - 5 upvotes, $0
  290. Cross-site request forgery vulnerability on a DoD website to U.S. Dept Of Defense - 5 upvotes, $0
  291. CSRF To Like/Unlike Photos to Zomato - 5 upvotes, $0
  292. Csrf in watch-unwatch projects to Weblate - 5 upvotes, $0
  293. CSRF. Удаление адресной книги, добавление контактов to Mail.ru - 5 upvotes, $0
  294. CSRF на biz.mail.ru to Mail.ru - 5 upvotes, $0
  295. Request vulnerable to CSRF to Phabricator - 5 upvotes, $0
  296. CSRF in Profile Fields allows deleting any field in BuddyPress to WordPress - 5 upvotes, $0
  297. relap.io CSRF bypass on adding domain to use relap widgets to Mail.ru - 5 upvotes, $0
  298. CSRF in updating username https://pw.mail.ru/ to Mail.ru - 5 upvotes, $0
  299. Account Takeover and Information update due to cross site request forgery via POST █████████/registration/my-account.cfm to U.S. Dept Of Defense - 5 upvotes, $0
  300. CodeQL query for finding CSRF vulnerabilities in Spring applications to GitHub Security Lab - 4 upvotes, $1800
  301. csrf to Slack - 4 upvotes, $0
  302. Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login to RelateIQ - 4 upvotes, $0
  303. Unwanted Spamming Using CSRF [LOGGED IN USER] to IRCCloud - 4 upvotes, $0
  304. Login CSRF in Secret.ly to Secret - 4 upvotes, $0
  305. HTML form without CSRF protection to Automattic - 4 upvotes, $0
  306. CSRF to Account Take Over Bug to IRCCloud - 4 upvotes, $0
  307. Resubmitted with POC #18685 Password reset CSRF to RelateIQ - 4 upvotes, $0
  308. Notifications can mark as read by CSRF to X (Formerly Twitter) - 4 upvotes, $0
  309. Marking notifications as read CSRF bug to HackerOne - 4 upvotes, $0
  310. [mobile.twitter.com / twitter.com] CSRF protection bypass to X (Formerly Twitter) - 4 upvotes, $0
  311. CSRF AT SELECTING ZAMATO HANDLE to Zomato - 4 upvotes, $0
  312. CSRF AT SUBSCRIBE TO LIST to Paragon Initiative Enterprises - 4 upvotes, $0
  313. The 'Create a New Account' action is vulnerable to CSRF to Coinbase - 4 upvotes, $0
  314. CSRF in changing settings of Basic Google Maps Placemarks to Ian Dunn - 4 upvotes, $0
  315. [allods.mail.ru] Cross-Site Request Forgery (Add-Item) to Mail.ru - 4 upvotes, $0
  316. CSRF : Lock and Unlock Translation to Weblate - 4 upvotes, $0
  317. CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org to Weblate - 4 upvotes, $0
  318. Cross-site request forgery (CSRF) vulnerability in a DoD website to U.S. Dept Of Defense - 4 upvotes, $0
  319. csrf blogs.starbucks.com to Starbucks - 4 upvotes, $0
  320. Add movie or series CSRF to delight.im - 4 upvotes, $0
  321. CSRF-Token leak by request forgery to GitLab - 4 upvotes, $0
  322. CSRF in generating a new Personal Key to GSA Bounty - 4 upvotes, $0
  323. CSRF to make any user accept the invitation to the team to Liberapay - 4 upvotes, $0
  324. CSRF на удаление товара из корзины to Mail.ru - 4 upvotes, $0
  325. CSRF on https://apps.topcoder.com/wiki/users general and email preferences to Topcoder - 4 upvotes, $0
  326. [express-cart] Wide CSRF in application to Node.js third-party modules - 4 upvotes, $0
  327. CSRF at acknowledging an incident to New Relic - 4 upvotes, $0
  328. Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile] to Weblate - 4 upvotes, $0
  329. CSRF on https://apps.topcoder.com/wiki/pages/doattachfile.action to Topcoder - 4 upvotes, $0
  330. Self XSS + CSRF Leads to Reflected XSS in https://████/ to U.S. Dept Of Defense - 4 upvotes, $0
  331. CSRF token fixation in facebook store app that can lead to adding attacker to victim acc to Shopify - 3 upvotes, $500
  332. Sign up CSRF to IRCCloud - 3 upvotes, $100
  333. CSRF on "Set as primary" option on the accounts page to Coinbase - 3 upvotes, $100
  334. The csrf token remains same after user logs in to Enter - 3 upvotes, $50
  335. User Account Creation CSRF to IRCCloud - 3 upvotes, $0
  336. Login CSRF using Twitter oauth to Factlink - 3 upvotes, $0
  337. logout csrf app.simplenote.com/logout to Automattic - 3 upvotes, $0
  338. CSRF vulnerability on https://sehacure.slack.com/account/settings to Slack - 3 upvotes, $0
  339. The product/status method CSRF to DigitalSellz - 3 upvotes, $0
  340. Internal GET SSRF via CSRF with Press This scan feature to Automattic - 3 upvotes, $0
  341. CSRF in apps.owncloud.com to ownCloud - 3 upvotes, $0
  342. Обход защиты от csrf-ок в m.ok.ru to ok.ru - 3 upvotes, $0
  343. CSRF on eng.uber.com may lead to server-side compromise to Uber - 3 upvotes, $0
  344. Using GET method for account login with CSRF token leaking to external sites Via Referer. to Zaption - 3 upvotes, $0
  345. Akismet Several CSRF vulnerabilities to Automattic - 3 upvotes, $0
  346. Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1 to Concrete CMS - 3 upvotes, $0
  347. Newsroom.uber HTML form without CSRF protection to Uber - 3 upvotes, $0
  348. No CSRF validation on Account Monitors in Synthetics Block to New Relic - 3 upvotes, $0
  349. The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
  350. Login CSRF vulnerability to New Relic - 3 upvotes, $0
  351. CSRF Add Album On onpatient.com to drchrono - 3 upvotes, $0
  352. CSRF csrftoken in cookies to Gratipay - 3 upvotes, $0
  353. Csrf on creating course to Udemy - 3 upvotes, $0
  354. CSRF - Changing the full name / adding a secondary email identity of an account via a GET request to Weblate - 3 upvotes, $0
  355. Cross-site request forgery (CSRF) vulnerability on a DoD website to U.S. Dept Of Defense - 3 upvotes, $0
  356. CSRF token does not valided during blog comment to Paragon Initiative Enterprises - 3 upvotes, $0
  357. Same CSRF token is being used for deleting other platform login’s within an account and across other liberapay Account’s to Liberapay - 3 upvotes, $0
  358. CSRF ON EDITING NAME (OPTIONAL) to Liberapay - 3 upvotes, $0
  359. CSRF token manipulation in every possible form submits. NO server side Validation to Liberapay - 3 upvotes, $0
  360. Missing CSRF Protection in /stats EndPoint. to Chaturbate - 3 upvotes, $0
  361. XSRF Token is Not being validated when sending emails test request which lead to CSRF attack using the flash file + 307 redirect technique to Stripo Inc - 3 upvotes, $0
  362. CSRF on https://apps.topcoder.com/wiki/users/editmyprofile.action to Topcoder - 3 upvotes, $0
  363. Cross-Site Request Forgery (CSRF) in my.games API to Mail.ru - 3 upvotes, $0
  364. Cross-Site Request Forgery (CSRF) in comment update - api.my.games to Mail.ru - 3 upvotes, $0
  365. CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts. to Rockstar Games - 3 upvotes, $0
  366. Logout page does not prevent CSRF to Courier - 3 upvotes, $0
  367. CSRF on comment post to WordPress - 3 upvotes, $0
  368. tracker.my.com information disclosure via csrf bypass to Mail.ru - 3 upvotes, $0
  369. Authenticity token doesnt expire after single use leading to CSRF to Omise - 3 upvotes, $0
  370. CSRF on https://apps.topcoder.com/wiki/users/editmyprofilepicture.action to Topcoder - 3 upvotes, $0
  371. CSRF in Demographic Settings with valid gdtoken of other account to Glassdoor - 3 upvotes, $0
  372. If the website does not impose additional defense against CSRF attacks, failing to use the 'Lax' or 'Strict' values could increase the risk of exposur to Yelp - 3 upvotes, $0
  373. CSRF on https://shopify.com/plus to Shopify - 2 upvotes, $500
  374. CSRF on add comment section to Slack - 2 upvotes, $0
  375. HTML Form Without CSRF protection to Localize - 2 upvotes, $0
  376. No Cross-Site Request Forgery protection at multiple locations to Localize - 2 upvotes, $0
  377. Group Deletion Via CSRF to Localize - 2 upvotes, $0
  378. Group Creation Via CSRF to Localize - 2 upvotes, $0
  379. Private Project Access Request Accpeted Via CSRF to Localize - 2 upvotes, $0
  380. CSRF - Adding/Removing items to cart - shop.khanacademy.org to Khan Academy - 2 upvotes, $0
  381. HTML Form without CSRF protection to IRCCloud - 2 upvotes, $0
  382. Projects Watch or Notifications Settings Change Via CSRF to Localize - 2 upvotes, $0
  383. Sign up CSRF to Factlink - 2 upvotes, $0
  384. CSRF token valid even after the session logout of a particular user to Phabricator - 2 upvotes, $0
  385. CSRF - Disabling orders at https://panel.stopthehacker.com/manage/disable-order/order/ID to StopTheHacker - 2 upvotes, $0
  386. Login CSRF to Mavenlink - 2 upvotes, $0
  387. csrf on password change functionality to Cloudflare Vulnerability Disclosure - 2 upvotes, $0
  388. Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login to Mavenlink - 2 upvotes, $0
  389. CSRF bypass to Vimeo - 2 upvotes, $0
  390. CSRF token from another valid user session accepted to Mobile Vikings - 2 upvotes, $0
  391. A csrf vulnerability which add and remove a favorite team from a user account. to Yahoo! - 2 upvotes, $0
  392. No CSRF protection when creating new community points actions, and related stored XSS to Concrete CMS - 2 upvotes, $0
  393. rails-ujs will send CSRF tokens to other origins to Ruby on Rails - 2 upvotes, $0
  394. owncloud.com: Account Compromise Through CSRF to ownCloud - 2 upvotes, $0
  395. [HIGH RISK] CSRF could potentially delete a zendesk subdomain. to Zendesk - 2 upvotes, $0
  396. don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
  397. Lost Password CSRF to Nextcloud - 2 upvotes, $0
  398. Full path disclosure when CSRF validation failed to Paragon Initiative Enterprises - 2 upvotes, $0
  399. Full Path Disclosure by removing CSRF token to Paragon Initiative Enterprises - 2 upvotes, $0
  400. CSRF with redeem coupon request to Instacart - 2 upvotes, $0
  401. [community.informatica.com] - CSRF in Private Messages allows to move user's messages to Trash to Informatica - 2 upvotes, $0
  402. CSRF token validation is missing to Nextcloud - 2 upvotes, $0
  403. Logout CSRF to delight.im - 2 upvotes, $0
  404. Login Cross Site Request Forgery to Infogram - 2 upvotes, $0
  405. CSRF on https://apps.topcoder.com/wiki/plugins/socialbookmarking/updatebookmark.action to Topcoder - 2 upvotes, $0
  406. CSRF header is sent to external websites when using data-remote forms to Ruby on Rails - 2 upvotes, $0
  407. CSRF on email address operations. Also performing unintended operations. to WePay - 1 upvotes, $150
  408. Login CSRF to IRCCloud - 1 upvotes, $100
  409. XSRF token problem to RelateIQ - 1 upvotes, $0
  410. CSRF - Creating accounts to IRCCloud - 1 upvotes, $0
  411. Change user settings through CSRF to Localize - 1 upvotes, $0
  412. CSRF in function "Set as primary" on accounts page to Coinbase - 1 upvotes, $0
  413. No CSRF token used in Phone Verification POST to Mail.ru - 1 upvotes, $0
  414. Log Out Cross site Request Forgery to IRCCloud - 1 upvotes, $0
  415. NO CSRF token found on user details update to FanFootage - 1 upvotes, $0
  416. CSRF and No password requirement in this URL Billing Info to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
  417. HTML Form Without CSRF Protection Vulnerability to Uzbey - 1 upvotes, $0
  418. CSRF & Nonce Token Weak Implementation to WePay - 1 upvotes, $0
  419. CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages to Yahoo! - 1 upvotes, $0
  420. CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages to Yahoo! - 1 upvotes, $0
  421. CSRF in crashlytics.com to X (Formerly Twitter) - 1 upvotes, $0
  422. System Status Update CSRF to Cloudflare Vulnerability Disclosure - 1 upvotes, $0
  423. No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group to Concrete CMS - 1 upvotes, $0
  424. Csrf near report abuse meme to Imgur - 1 upvotes, $0
  425. CSRF in Connecting Pinterest Account to Shopify - 1 upvotes, $0
  426. Login CSRF using Google OAuth to ThisData - 1 upvotes, $0
  427. apps.owncloud.com: CSRF change privacy settings to ownCloud - 1 upvotes, $0
  428. The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF to Paragon Initiative Enterprises - 1 upvotes, $0
  429. ProBlog 2.6.6 CSRF Exploit to Concrete CMS - 1 upvotes, $0
  430. XSS and CSRF in Zomato Contact form to Zomato - 1 upvotes, $0
  431. Missing Server Side Validation of CSRF Middleware Token in Change Password Request to Veris - 1 upvotes, $0
  432. CSRF - Regenerate all admin api keys to New Relic - 1 upvotes, $0
  433. No csrf protection on logout to Boozt Fashion AB - 1 upvotes, $0
  434. Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token to Udemy - 1 upvotes, $0
  435. Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
  436. CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva to Cuvva - 1 upvotes, $0
  437. Login csrf. to Gratipay - 1 upvotes, $0
  438. Csrf bug on signup session to Coinbase - 1 upvotes, $0
  439. The csrf token remains same after user logs in to Liberapay - 1 upvotes, $0
  440. Csrf token does not meet security design to Liberapay - 1 upvotes, $0
  441. Cross-Site Request Forgery to Mail.ru - 1 upvotes, $0
  442. CSRF allows attacker to manage customer's shopping cart. to TomTom - 1 upvotes, $0
  443. Social Oauth Disconnect CSRF at znakcup.ru to Mail.ru - 1 upvotes, $0
  444. CSRF in newsletter form to Sifchain - 1 upvotes, $0
  445. CSRF - Modify User Settings with one click - Account TakeOver to U.S. Dept Of Defense - 1 upvotes, $0
  446. Typical form vulnerable to csrf attack to WePay - 0 upvotes, $0
  447. CSRF (Make email primary) may lead to account compromise to WePay - 0 upvotes, $0
  448. HTML form without CSRF protection at http://try.crashlytics.com/enterprise/ to X (Formerly Twitter) - 0 upvotes, $0
  449. The csrf token remains same after user logs in to ownCloud - 0 upvotes, $0
  450. CSRF Token to Udemy - 0 upvotes, $0
  451. CSRF Issue to Legal Robot - 0 upvotes, $0
  452. CSRF bug on password change to Coinbase - 0 upvotes, $0
  453. CSRF Token Design Flaw to Udemy - 0 upvotes, $0
  454. Logout CSRF to WakaTime - 0 upvotes, $0
  455. Cross site request forgery to Hiro - 0 upvotes, $0