Login CSRF in Secret.ly

https://www.secret.ly/_/login POST /_/login HTTP/1.1 Host: www.secret.ly User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 55 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache {"Login":"[email protected]","Password":"user_password_here"} As you can see that this form does not contain any CSRF token,So it is vulnerable to Login CSRF attack.And also note that the login request is prone to bruteforce attack.You might want to impose some extra layer of security to prevent bruteforce attacks on **SECRET.LY** Read [this](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) for more information about the requirement of CSRF tokens on login forms.