In this vulnerability, if the admin user click the Fishing links the hacker provided, the it can generate a new user that can login in the website management background.
I review the code in the project, then I found that the code where the admin add other users, it has no protection for Cross-site request forgery.
so, I use burp to generate the CSRF Poc.
then, if the admin click the button(some csrf link), it generates a new user admin2 in the websie.
admin2 can login in the website background.
for more test, this vulnerability can also use to delete some user in the website.
The text was updated successfully, but these errors were encountered:
csrf vulnerability
In this vulnerability, if the admin user click the Fishing links the hacker provided, the it can generate a new user that can login in the website management background.
I review the code in the project, then I found that the code where the admin add other users, it has no protection for Cross-site request forgery.

so, I use burp to generate the CSRF Poc.


then, if the admin click the button(some csrf link), it generates a new user admin2 in the websie.


admin2 can login in the website background.
for more test, this vulnerability can also use to delete some user in the website.
The text was updated successfully, but these errors were encountered: