The injection occurs in the application/x-www-form-urlencoded type of request. First, we will review the request. The request is a GET request with a parameter of list= to receive the list of decoy users. This can be verified by issuing a request to the application/x-www-form-urlencoded type. The application/x-www-form-urlencoded type can be used to create a fake user. We have created a fake user with the name “1”. The decoy user’s email address is bev@test.com. When viewing the decoy user’s profile, the email address is displayed as bev@test.com. The email address displayed is the one included in the decoy user’s profile.

HTTP Request

This request is an HTTP GET request with a parameter of list= to receive the list of decoy users. This can be verified by issuing a request to the application/x-www-form-urlencoded type. The application/x-www-form-urlencoded type can be used to create a fake user. We created a fake user with the name “1”.

Request to the Application/x-www-form-urlencoded Type

The first thing to do is request the application/x-www-form-urlencoded type. It can be done by using a GET request with a parameter of list=. In this request, we are using the variable name userlist. The list is set to receive the list of decoy users that have been created. We want to return only one item: 1.

Step 1: Create a fake user with the name “1”

Creating the fake user is very easy. To create a fake user, we can use the following command:
String newUser = "1";
user = context.getCurrentUser().addToProfile(newUser);
You will be prompted to validate the email address. After validating the email address, you are required to enter a password for the user. You must enter a password in order to create a decoy user. For this example, we entered “test” as the password for our decoy users.
Once the fake user has been created, he/she will be in your list of decoy users and can be used in your attack payloads.

Timeline

Published on: 09/08/2022 16:15:00 UTC
Last modified on: 09/12/2022 14:06:00 UTC

References