On 14 Sep 2022, at 20:55, Tim Düsterhus <[email protected]> wrote:
> As indicated by the phrasing in my previous email, this knowledge does not
> enable an attacker to do anything that they wouldn't be able to do otherwise.
One possibility... when you say the attacker is able to "not send all the
fields", would that be via injecting malicious JavaScript? which would
hopefully be blocked via the websites Content Security Policy?... a different
approach could use a simple XSS within the <form>, and injecting ~995 hidden
<input> fields:
```
<form action="/user/edit" method="post">
[...]
<input type="hidden" name="xss[]" />
<input type="hidden" name="xss[]" />
<input type="hidden" name="xss[]" />
[...]
<label>
<input type="checkbox" name="group_delete[]" value="1" />
Remove from Group 1
</label>
[...]
</form>
```
Craig
