The GET request for removing a product with id=1 looks like this:
http://127.0.0.1:8888/cart_remove.php?id=1
Changing the value of the id parameter in the customer session will remove the product with that ID.
A remote attacker can embed the request into an innocent-looking hyperlink:
Entice the customer to click on the link to the malicious site. When the customer browses to that site, the link would be automatically clicked via JavaScript and the product will be removed.
Response in Burpsuite
Source code review
cart_remove.php
Remediation
Implement an Anti-CSRF Token.
The text was updated successfully, but these errors were encountered:
Author
KhanhCM (@khanhchauminh)
Version: 1.0
Details
The GET request for removing a product with
id=1looks like this:Changing the value of the
idparameter in the customer session will remove the product with that ID.A remote attacker can embed the request into an innocent-looking hyperlink:
Step to reproduce
PoC:
Response in Burpsuite
Source code review
cart_remove.php
Remediation
Implement an Anti-CSRF Token.
The text was updated successfully, but these errors were encountered: