Using $_SESSIONS/COOKIES? Maybe u shud read this first.

**CreativityKills** · 12.10.09, 11:15

Alright. But is lava prodigits "based" then. Anyway i found a way thru lava sites, whether sid is in url or php session cookie. Only drawback, its browser dependent

yo killer we cud run a test on ur site.

**koizumi** · 12.10.09, 11:46

nope! prodi is tottaly different script,the engine itselft is on asp.. btw, wat was that browser dependant thingy?

**CreativityKills** · 13.10.09, 05:38

The hack i cooked up is written in CSRF + AJAX. AJAX only works on web browsers. Soo, the victim has to be using one. The screen shot i promised:
http://coderrr.wen.ru/mgwebalpha-screenshot.JPG and http://coderrr.wen.ru/mgwebalpha-logged-screenshot.JPG
thats all i can shoot for copyright reasons. And yes its AJAX driven bt works wit my mobile database.

**koizumi** · 13.10.09, 05:44

Originally posted by mobileGIGS View Post

The hack i cooked up is written in CSRF + AJAX. AJAX only works on web browsers. Soo, the victim has to be using one. The screen shot i promised:
http://coderrr.wen.ru/mgwebalpha-screenshot.JPG and http://coderrr.wen.ru/mgwebalpha-logged-screenshot.JPG
thats all i can shoot for copyright reasons. And yes its AJAX driven bt works wit my mobile database.

now thats a good looking web version.. one thing ive noticed, your using phpssid or cookies which kinda contradict with the one your recommending in this topic..

**CreativityKills** · 13.10.09, 06:21

Im nt saying DONT use it, im showin u a hole. All u have to do is block the hole lol. Which brings us to the 2nd part of my thread. I have written a class that automatically validates every post form in my page to avoid noob csrf and i use one i got 4rm github to do ajax csrf protectn. Search "php csrf helper" in github to get anyone. And ffs pls avoid GET requests. NOTE: if u hav an XSS hole, u myt as well nt bother downloading d csrf helper.

Using $_SESSIONS/COOKIES? Maybe u shud read this first.

Comment

Comment

Comment

Comment

Comment