Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CSRF --> Cross Site Request Forgery
- -----------------------------------
- It is when a user visit a website and he is an authenticated user of the website. A attacker will send you a script---> malicious script.... which will let you fill your own details in the script---> web page, web based application, web form...
- www.bank.in | www.moviesdownload.in
- Username:
- Password:
- E-mail:
- Credit Card Number:
- please reset the password of moviesdownload.in
- current password:
- new password:
- confirm password:
- password will change at: www.bank.in
- www.facebook.com
- forget password
- email
- mobile number
- OPT Range --> 0000-9999
- 000000-999999
- Brute Force attack
- www.facebook.com --> 5+ OTP try --> 24 hours block
- m.facebook.com --> 5+ OTP try --> 24 hours block
- beta.facebook.com --> infinite try--> we wont block the account
- 1000$ --> facebook bug----> 7,00,000
- Black Market ---> 10 times
- Obama hack ---> Hacked By Indian Hacker
- Black list---> unethical and illigal work
- HE promised that he will only use his knkowledge for ethical hacking.
- Banking sites --> Money transaction, paytm money tranfer---> wallet
- CSRF --> Money amount----> 500 ---> 5000
- 8979234509 ---> 8054503615
- <html>
- <body>
- <form action="http://127.0.0.1/dv18/vulnerabilities/csrf/" method="GET">
- enter credit card NUmber<br><input type="text"> <br>
- New password:<br>
- <input autocomplete="off" name="password_new" type="password"><br>
- Confirm new password: <br>
- <input autocomplete="off" name="password_conf" type="password">
- <br>
- <input value="Change" name="Change" type="submit">
- </form>
- </body>
- </html>
- Missing Function Level Access Control
- -------------------------------------
- www.xyz.com/admin/changePassword
- www.xyz.com/rohit/changePassword
- University
- ----> Vice Chan
- ---->chan
- --->Dean
- --->HOD
- --->Professor
- --->Student
- Invalidated Redirects & Forwards
- --------------------------------
- I can visit each and every directory of the website with out any authentication....i can visit and change the configuration of the system just by visiting the site's directory with out any authorization....
- www.xyz.com/index/who/php?id=something
- www.hackKrLo.com
- www.xyz.com/index/who/php?id=www.hackKrLo.com
- will open www.hackkrlo.com --> i will ask the juicy data from the user.....
- XSS+Invalidated re & fw --> big hack
- netsparker
Add Comment
Please, Sign In to add comment