@alpernae was able to demonstrate that the Enjin Platform's GraphQL interface was missing the appropriate CSRF protection when using a session token. The attack is performed by crafting a malicious HTML form that, when submitted, sends a request to the Enjin platform to revoke the API token. The form is designed to bypass the Cross-Site Request Forgery (CSRF) protection mechanisms in place, such as the XSRF token. This allows the attacker to force the victim's browser to make a request to the Enjin platform on their behalf, leading to the revocation of the APIā¦Read More
Enjin: Revocation API Token by Bypassing The XSRF Token
