When the super administrator (uid = 1) logged in, there are 2 important POST methods without CSRF protection, can change his username and password respectively. This can be achieved by cheating the super administrator to open the 2 pages when he logged in. poc1.html (Change the username to 'hacker')
When the super administrator (uid = 1) logged in, there are 2 important POST methods without CSRF protection, can change his username and password respectively. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
poc1.html(Change the username to 'hacker')poc2.html(Change the password to '123456')Or we made only 1 page POC to make it easy to attack.
poc.htmlThe text was updated successfully, but these errors were encountered: