Uses XSS vulnerability easy to get login user's cookie

Foreword

After recently visiting the small program, which found a small application program is user account information is automatically registered in a station. So I go to the website looked under, WOW! ~ Lot of input boxes to easily test the next xss.

XSS vulnerabilities found

In the learning purposes of communication with trembling fingers the user name input box at the input the following code: <script>alert(1)</script>

emm ... did not respond, the heart suddenly bereft, not as a pop-up box to the expected, and sighed. However, whatever the outcome is a program ape, you can not give up. Xss will find some of the variability test the code: </textarea><img onerror="alert(1)" src='1'>

WOW! Stick blankly!

Further exploit XSS vulnerabilities

At that time I was thinking, his little program is a recharge. Or financial administrator will certainly look all right today, there is no consumer ah ~ what new users recharge ah ~ ~ it had better brush pen two top of the list, and then implanted xss in a user name, gong fishing take the bait. Begins search engine to find a few xss platform with https, the check can get a cookie modules:

Two (first) years (two) later (day) ...

Fish bait - success to get a user name and a cookie, then hung agency, developer tools, Application, modify Cookies, refresh the page.

Really lucky

Xss doing something for the first time use, very comfortable. Unfortunately, the background and the user center are shared, and did not find a place to upload files reuse.

You can only charge a little money Han ~

Vulnerabilities submitted

Feedback to the relevant administrators to fix it.

Conclusion

Doing development, security awareness must be ah!