In a storm video, CSRF can Reset Password protection for any user.

The problem lies in password protection in the personal center.

Let's take a look at the password of xfkxfk123:

Next we will set up the password protection problem for tester123 users, and then capture the packet:

 





 

Here is a GET request, without csrf restrictions.

Key points:
1. The request here has the username parameter, but this username does not have it.
2. Some users have already set a password and need to answer the previous questions When resetting the password on the page. However, we can skip the packet capture test here to answer questions and reset the password directly.

We have constructed the request connection:

Http://user.baofeng.com/user? A = setQuestion & question1 = % E6 % 9A % B4 % E9 % A3 % 8E % E5 % BD % B1 % E9 % 9F % B3 & answer1 = % E6 % 9A % B4 % e9 % A3 % 8E % E5 % BD % B1 % E9 % 9F % B3 & callback = Security. setQuestionResult

Both questions and answers are: Storm audio and video

After xfkxfk123 accesses this connection, it will reset its password protection problem:

Through the returned status, and from the page, the xfkfk123 password protection has been successfully reset, and the previous password protection problem has not been entered. If you do not set the password protection, you can also set the password protection that we control for it.

 

Return to the forgot feature:

1. If you have not set password protection, enter the user name and send the password to reset the connection.

2. If you have set password protection, after entering the user name, you will be asked to enter the password protection question, and then send the password to reset the connection.

Use a portal: http://www.bkjia.com/Article/201309/243323.html -- mailbox binding CSRF

The password reset CSRF can also be used to reset the user password.
 
Solution:

Preventing csrf is almost the same

You must also reply to the previous password reset before resetting the password.