#109 · CSRF on any state-changing endpoint
cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.
Description
Any POST endpoint that modifies state without checking session origin. Workers don't get CSRF protection by default; if the auth is just a session cookie + the endpoint has no Origin/Referer check or CSRF token, it's exploitable.
Likely surfaces
/profile/settings(POST)/admin/award(POST) — admins are the highest-value targets/admin/award-request/<id>/approve|reject(POST)/contribute/claimand/contribute/report-bug(POST)- Career Board, Task Exchange, Field Notes mutating endpoints
What to demonstrate
A standalone HTML page that, when visited by an authenticated user, performs an action on their behalf without their knowledge. Demonstrating in same-origin (browser console) is not enough.
--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
No points have been awarded for this bounty yet.
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.