-
Notifications
You must be signed in to change notification settings - Fork 23
/
SelectFieldTampering.jsp
34 lines (31 loc) · 1.15 KB
/
SelectFieldTampering.jsp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<!DOCTYPE html>
<%@ include file="/WEB-INF/jsp/template/tags.jsp"%>
<html>
<head>
<title>Parameter Tampering Example</title>
<%@ include file="/WEB-INF/jsp/template/head.jsp"%>
</head>
<body>
<c:url value="../attacks.html" var="url" />
<a href="${url}">
<img src="${pageContext.request.contextPath}/resources/images/back-icon.png" alt="Return to examples page" class="back" />
</a>
<h1>How to Exploit Form Fields</h1>
<p><b>General Goal(s):</b></p>
<p>The user will be able to exploit a select field to obtain all users' orders.</p>
<p>First, by clicking in the 'View Orders' button you will visualize all the orders
of the <b>j2ee</b> user.</p>
<p>Then, you have to set the username parameter to the following value when you post
the form: <b>ACID</b></p>
<form:form action="processListOrdersSelect.html" method="post" modelAttribute="order">
<p>
<label for="username">Select Username:</label>
<form:select path="username">
<form:option value="j2ee" label="j2ee" />
</form:select>
</p>
<form:button>View Orders</form:button>
</form:form>
<%@ include file="/WEB-INF/jsp/template/footer.jsp"%>
</body>
</html>