An attacker sends: GET /api/documents/../../../../etc/passwd . The server resolves the path to /etc/passwd and returns the system's password file. The root cause is a missing check between the supplied filename and the base directory.
When another user views this post, their browser executes the script, allowing the attacker to steal session cookies, hijack user sessions, or deface the page. The Defense gruyere learn web application exploits defenses top
—unique, unpredictable values included in state-changing requests that the server verifies before processing the action. 3. Client-State Manipulation (Cookie Flaws) An attacker sends: GET /api/documents/
If a logged-in Gruyere user visits the attacker's page, their browser automatically appends their session cookies to the request, deleting their profile without their consent. The Defense When another user views this post, their browser
Gruyere allows users to create a profile where they can enter a biography ("About Me") and upload a profile picture (icon). The intention is to let users express themselves, similar to Facebook, LinkedIn, or any modern web app.
