Cross-Site Request Forgery
Discription
# Description
The administrative `/api/users` registration endpoint is vulnerable to an Cross-Site Request Forgery attack due the lack of any kind of anti-CSRF token verification.
# Proof of Concept
1. 1 – An authenticated administrator visits an attacker-controllable website, in this case the PoC file.
2. 2 – When the page loads, a new account will be created using the attacker chosen credentials.
“`
References
Back to Main