03-19-2016, 02:14 AM
Hi,
Thanks for looking into it, and so promptly.
I have had a go in a live environment. First I had a go on the demo site. I had trouble signing up normally (no reaction when I'd hit register on a fully completed form?), so I decided to set up my own live test environment.
I was able to do the same exploit.
1. created spoof form and directed it to the live joinThankyou.php file
2. I removed all the ID=username, ID=other_field_names...
3. Then I edited the script with the Jquery to remove the if(data=success) condition.
4. I generated a real csrf from a live form, then copied it into my spoof form.
After that, I chucked a bunch of characters into the username field and hit submit. That bypassed the validation and entered the database. It was good to see that the quotes I entered were all escaped as either or & # 039.
Hope that helps in some way.
T.
Thanks for looking into it, and so promptly.
I have had a go in a live environment. First I had a go on the demo site. I had trouble signing up normally (no reaction when I'd hit register on a fully completed form?), so I decided to set up my own live test environment.
I was able to do the same exploit.
1. created spoof form and directed it to the live joinThankyou.php file
2. I removed all the ID=username, ID=other_field_names...
3. Then I edited the script with the Jquery to remove the if(data=success) condition.
4. I generated a real csrf from a live form, then copied it into my spoof form.
After that, I chucked a bunch of characters into the username field and hit submit. That bypassed the validation and entered the database. It was good to see that the quotes I entered were all escaped as either
Code:
"eHope that helps in some way.
T.