| Título | Open-Source Web LitmusChaos 3.19.0 Input Validation Bypass |
|---|
| Descripción | A frontend-only validation flaw was identified in the LitmusChaos 3.19.0 platform that allows attackers to bypass character restrictions on user profile fields, such as the display name. The client-side interface prevents input of special characters (e.g., !@#$%¨&)), but the backend fails to enforce equivalent validation, leading to inconsistent input handling and possible downstream effects.
During testing, it was observed that the application performs input sanitization only on the client side, using JavaScript or HTML5 form validation. However, this can be easily circumvented by intercepting and modifying the HTTP request via tools such as Burp Suite.
By sending crafted requests directly to the backend, an attacker can store and display values containing unexpected or restricted characters—such as !@#$%¨&)—in user-controlled fields like the profile display name. |
|---|
| Fuente | ⚠️ https://github.com/MaiqueSilva/VulnDB/blob/main/README02.md |
|---|
| Usuario | maique (UID 88562) |
|---|
| Sumisión | 2025-07-31 02:19 (hace 9 meses) |
|---|
| Moderación | 2025-08-09 07:34 (9 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 319320 [LitmusChaos Litmus hasta 3.19.0] |
|---|
| Puntos | 20 |
|---|