A bug bounty hunter shares four low-impact CSRF vulnerabilities found across private programs, including cart spam via public wishlist functionality, referer header bypass techniques, unprotected API endpoints, and favorite list deletion—all with minimal technical depth and bounty amounts ($25 or swag).
A researcher discovered a CSRF protection bypass on IBM's account management endpoint by exploiting Referer header validation. The vulnerability allowed changing user email addresses via GET requests using a path traversal technique (hosting the IBM URL as a path on an attacker's domain) to bypass Referer checks.
Ubiquiti UniFi v3.2.10 and below contains a generic CSRF protection bypass that strips the Referer header, allowing attackers to perform unauthorized actions like changing user passwords, adding new users, and creating WLAN configurations. The exploit uses enctype='text/plain', iframe source manipulation, and JavaScript to strip the Referer header and submit JSON-based CSRF attacks.