Account Takeover via CSRF
1:- Create an account as an attacker and go to Account Setting and update account information 2:- Capture the request using burpsuite and generate CSRF POC 3:- The CSRF code looks like as in image. 🤔so replace the email value to anyone@*******.come and submitted a request in the victim’s account 4:- Forward the above request and the csrf code worked so by this exploit, and change the victim account to my email. 5:- Last step to account takeover using the forgot password method to retrieve the password reset link to my email and now u have full control over the victim’s account.
You can also watch the Account takeover via CSRF Video POC.
Thanks for reading. Subscribe us for more Bug Bounty Tips
