Open Bug Bounty Community Forum

Coordinated & Responsible Disclosure
https://www.openbugbounty.org/forum/

Authenticated Data Theft

https://www.openbugbounty.org/forum/viewtopic.php?f=7&t=810

Page 1 of 1

Authenticated Data Theft

Posted: Sat Jun 16, 2018 10:07 am
by cybercdh
I have numerous instances of data theft from sites where they have overly permissive crossdomain policies allowing for authenticated data to be POSTed back to an attacker server.

This is essentially CSRF, but with a twist. In some instances I can modify data, but I want to be able to report issues where I can steal data also. This doesn't fit into the template for reporting CSRF on OBB at present - any advice?

Re: Authenticated Data Theft

Posted: Mon Jun 18, 2018 6:34 am
by x1admin
cybercdh wrote:
Sat Jun 16, 2018 10:07 am
 I have numerous instances of data theft from sites where they have overly permissive crossdomain policies allowing for authenticated data to be POSTed back to an attacker server.

This is essentially CSRF, but with a twist. In some instances I can modify data, but I want to be able to report issues where I can steal data also. This doesn't fit into the template for reporting CSRF on OBB at present - any advice?
At this time we dont accept this type of vulnerabilities, maybe we implement this soon
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/