Session key is same throughout the session, can this behavior be exploited?

this application uses session key instead of CSRF token but this session key is same throughout the session, its not changing. It only changes if I logout and then again login in the application.

My question is

  1. Is session key and CSRF token similar?
  2. Can this behavior of key remaining same throughout the session be exploited by an attacker in any way?

Can XXE be exploited when disallow-doctype-decl is set to true (Apache)?

I found out that an endpoint of a website may be vulnerable to XXE. They are using Unmarshal as xml parser and when i try to send a post request using common xxe payloads i receive the following response from the server:

[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 54; DOCTYPE is disallowed when the feature \"\" set to true.]

Is there any payload that doesn’t need the doctype declaration? Is it possible to exploit this XXE or not?

Can XSS be exploited this way?

As per my understanding, if a cookie doesn’t have domain attribute (explicitly telling where this cookie can be used) By default that cookie will be used by the domain which issued it and all its subdomain and even parent domain of the domain which issued the cookie can’t use it.

(foo.example issued cookies which can be used by it and its subdomain but not its parent domain i.e

Now, suppose I found XSS vulnerability on and I want to get cookies of . By any means is that possible? Since by default cookies issued by a subdomain can not be used by its parent domain am not able to figure out any way.

Can my website’s business logic be exploited? [on hold]

I just finished a website that gives out rewards and I’m worried that someone might find a way to use it which I didn’t intend and force or trick me to pay out too much. I could use some feedback as to whether or not I missed anything that might cost me.

Here’s the basic concept:

  • Members can endorse others. When you vouch for someone by endorsing them, you become one of their “sponsors”.
  • When someone works a job through my site, I invoice the employer for my commission and then pay a portion of that back as rewards to the “primary sponsors” (more on what that means below)
  • To be eligible to receive rewards each month, you must be working a job through my site. For contractors, they must bill at least 10 hours per month. Full time employees must be within their first year of employment.
  • If both the sponsor and the person they endorsed work a job they found on my website, the sponsor gets 0.25% of what the endorsee makes, plus 0.10% of anyone the endorsee endorsed, plus 0.05% of anyone that person endorsed. I made a little calculator on the site so you can see what that would look like:

Here are the safe-guards I’ve put in place so far:

  • To prevent someone from spamming everyone with endorsements, I made it so the endorsee has to “accept” your endorsement.
  • To prevent someone from endorsing large numbers of lower quality workers to bump up their reward, I made two rules. First, if the person you endorsed receives a negative review from the employer for a given month, you don’t receive rewards from that endorsee for that month. Second, if you or your endorsees receive three negative reviews within a 12 month period, you are disqualified from receiving any rewards for 6 months starting from the date of the last negative review.
  • If, for example, 100 people all endorse the same person, I’m obviously not going to payout all of them. Only the “primary sponsor” is eligible to receive rewards points for that endorsee. Sponsors are initially prioritized in the order in which the endorsements are accepted. If you are the first to endorse someone, you become their primary sponsor and will remain so unless you become ineligible to receive rewards for a given month. For example, if you did not bill any hours for the month through my site or you received negative feedback from the employer. If you become ineligible, you will not receive rewards points for that endorsee for that month and will no longer be their primary sponsor. You will be placed at the end of their sponsor list and the next person in line will then become the primary sponsor of that endorsee.
  • To keep payouts from taking too long, if you are a contractor, you must complete all your timesheets through the site for the previous month within 7 days after the end of that month in order to stay eligible to get rewards points for that month. If you’re a full-time employee, it doesn’t matter because the employer is invoiced the commission right away, not per month.
  • The invoices submitted to employers must be paid in full before rewards are paid out.

Can you think of anyway I could get taken advantage of with this?

Thanks for your help

Can an xss vulnerability without authentication be exploited?

I am confused about the attack surface made possible by an XSS vulnerability. Suppose I have a simple web application that does not involve authentication (perhaps a “word of the day” kind of thing). If it is naively written and allows injection by crafting a malicious link, what kind of damage can the injection do?

To make things concrete, here’s a PHP script (what else) that is wide open to attack, since it will send back any nonsense added to the request URL.

<html><body> <p>   <?php echo 'Access denied:' . $  _SERVER["PHP_SELF"] ; ?> </p> </body></html> 

How bad would it be to have this problem on my server? What can happen exactly? My script does not collect or store any data, so there is no chance of a persistent injection on my server.

  • If the user clicking on the malicious link trusts my domain, they could be tricked into doing or accepting things that they wouldn’t otherwise. But if my domain enjoys no special trust, is there still danger? The attacker has already had access to the user/victim to trick them into visiting me through the doctored link, so is my website really posing an additional danger?

  • Since the reflected code appears to originate on my domain, could the attacker gain access to my intranet? I suppose in this case no trickery is needed: the attacker can run the malicious requests directly on my server, right?

I must be missing something here, please help me understand what that is.