1) I heard that meitu has registered two users, sina.cn and sina.com. 2) I have logged on to sina.cn. I found that the setting contains a contact number and a region, there is no strict filtering, leading to storage-type xss; 3) but it is found that this storage-type xss can only be used by itself, if you set the region where other users are located to xss code, isn't it possible to × other users? 4) test whether you can modify others' settings. 5) packet Capture analysis found that cookies contain the user identity parameter "mid" and user name. Can I use them here? 6) modify the "mid" parameter value to the mid value of the sina.com user and submit it. The system prompts that the modification is successful. 7) We found that the contact information of the sina.cn user has not changed, the contact information of the sina.com user is set successfully. 8) in this case, if the system has defects, you can modify the contact information of any user and use the appeal method, we only need to replace the corresponding value with our xss code to realize the idea of hijacking any user, and the user login will be hijacked;
9) Haha, if a vip user is hijacked, won't you download the beautiful pictures !!Solution:Filter dangerous characters to enhance user authentication!