This project solves any math activity on the Mangahigh platform.
- How works ?
The platform has a known vulnerability in the community, the Cross-site Scripting (XSS) flaw, which allows the injection of javascript in the console, using the free response feature offered by the platform. In this way, by injecting the command:
document.querySelector('#solutions');the page returns html script that when rendered, shows the final answer for the task.
- How to fix the vulnerability
Although the platform has a manual protection against automatic XSS, it allows the client to send the injection returning the response. Also, for the vulnerability to occur, the user must select and inspect any element of the
<body</body>. The solution to this problem is simple, create an authentication in the free answer resource, adding a uniqueid=''to each answer, in this way, a check on the server would allow that even with a javascript injection in the browser console, a only free solution would be sent to customer.
-
Final finding of the platform:
-
Protection against automated software that prevents the inspection of elements (Necessary for the vulnerability to work)
-
XSS protection
-
Encryption in responses
-
Response request verification
-
Tools that were used in the tests:
- Developed by: Danimar Costa