Removing CSRF parameter

Hello all!,

I just started using Burpsuite more for things I've never done before, to try to expand my knowledge.

I found a website that allows me to delete the CSRF token parameter completely from a request, and the response still comes back as HTTP/2 200 OK

I've noticed in the past when I delete CSRF, the website will block my request, I've never come across it still accepting it.

Is this worth reporting? Or is there some other CSRF implementation that they're using that I'm not used to? And how what would this allow me to exploit?

Thanks a ton!

submitted by /u/GANJA2244
[link] [comments]

from hacking: security in practice https://ift.tt/stUNJn4

Comments