Challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic unless clearly specified in the challenge information below.
Note: Use a keen eye on this challenge to notice what's happening
Our admin panel was hacked because someone discovered a way to force a request to be sent when we visited a malicious website. I got John onto it and he added CSRF protection, and even did some checks to make sure no-one was trying to iframe us from their site! I think we're safe now. I've learnt on what CSRF is and i'm pretty sure no-one can force the admin password to be reset if we were tricked onto another malicious site.
Challenge target: Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully. You must see the "Changes saved!" message in green (or prove it with screenshot of request), and your attack should require no more than 1 user interaction.