Add new Application & Change User’s Avatar CSRF Vulnerability –

July 19, 2013 bug bounty is running under the Paypal bug bounty program and i got paid .
Bug1  Add new Application : provided option to add the new application in account settings. Due to missing of CSRF token this vulnerability successfully executed and unauthorized application is added anonymously in the user’s account .
CSRF Vulnerable URL :

To reproduce this vulnerability i have attached Proof Of Concept ..

Direct Download Link of POC :

Bug2 Change User’s Avatar allow to change user’s default avatar.
I found the there is CSRF token is missing in avatar change module , this can be used to set  user’s default avtar forcefully.
CSRF Vulnerable URL :
<form action=”” method=”GET”>
<input type=”submit” name=”submit”>
Thank you Paypal & for running such a good program – g4h Team.
We Provide Penetration Testing

We Provide Penetration Testing