I recently participated in STEM CTF and there was one challenge that I found particularly fun to figure out. The situation was quite straight forward: gain access to an account on a social networking website.
At first you are presented with a login page, allowing you to register or request that your password be e-mailed to your account’s associated e-mail address through a POST of the username to an email_password function. So, I decided to create an account and see what else I could do. Sure enough, there was an update e-mail ability which turned out to POST the new values for account attributes. This means, that you could visit /EditProf?attribute=email&newValue= to update the e-mail address for your current logged in account.
These in combination seem like they could be great for a CSRF (can be pronounced sea surf) attack! CSRF is essentially the ability to change values in a URL and send that URL to the target, having them click it to update values, transfer money etc in their account. For example, if wutbook.com was vulnerable, somebody could click a link such as wutbook.com/EditProf?attribute=email&newValue=lulz@gmail.com to change their e-mail address to a possibly malicious address.
Now it would have been nice if the target just clicked on the link, but we had to take it a step further in the competition. The messaging system involved no removal of special characters, and simply wrapped your message with textarea tags. Once you notice that, you should be able to deduce that you can just close that tag, and add whatever you would like to the page. Now you can have a web browser attempt to load a URL through use of img tags. Of course no image will be loaded on the page, but the call will be made none the less.
With all of that in mind, I crafted (roughly) the following message to the user
hello!</textarea><img src="http://{url}/default/EditProf?attribute=email&newValue=my@email.com" /><img src="http://{url}/default/email_password?username=target" />
When the user viewed the message, it automatically set his e-mail to mine, and sent me his password!
