DevHub — CSRF Token Not Session-Bound

DevHub validates CSRF tokens but checks a global pool — any valid token from any session passes. Get your own token, craft an attack page, queue the admin bot, and escalate your role.

Step-by-step walkthrough ↗

Use your own valid CSRF token in a forged request that the admin bot submits — promoting your account to admin and revealing the flag.