Skip to content

Instantly share code, notes, and snippets.

@KhanMarshaI

KhanMarshaI/Vvveb-05-State_Change_GET_Requests.md Secret

Last active September 18, 2025 08:16
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save KhanMarshaI/db888b65cfd75bead2035348babfb423 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save KhanMarshaI/db888b65cfd75bead2035348babfb423 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Vvveb-05-State_Change_GET_Requests.md

State-Changing GET Request Theme Activation (Self-Site Request)

What's the issue?

GET requests can be used to perform state-changing operations (which are supposed to be performed through a POST request). GET requests should only retrieve data, but here it is able to modify the server state. This arises due to not handling http methods in the defined views.

Please note the IFRAME Injection isn't the main vulnerability here. It is only one of the discovered ways in Vvveb to abuse the State-Change GET requests vulnerability. A lower privilege user can inject such state-change GET request and have it triggered whenever an admin/superadmin views the attacker-controlled content.

  • No user interaction required - automatic execution on page load
  • Bypasses CSRF tokens - GET requests typically don't implement CSRF protection
  • Works across origins - no same-origin policy restrictions for GET requests in img/iframe tags
  • Harder to detect - appears as normal resource loading in logs
  • Multiple delivery methods - can be embedded anywhere HTML is rendered

Credits

0xHamy & KhanMarshaI

Proof Of Concept

  • The attacker can inject iframes on post/page/product "Content" source code fields, like this (by clicking <>): Source Code
<iframe width="800" height="200" src=""></iframe>
  • The attacker could point the src to state-change GET request.

With such a Content description, the attacker can activate a theme:

<p>This is a malicious post.</p>
<p><iframe width="800" height="200" src="http://localhost/admin/index.php?module=theme/themes&action=activate&theme=manny"></iframe></p>
  • When the admin visits http://localhost/malicious-post the malicious endpoint it triggers the GET Request and activates the theme. Themes

Once again, this isn't due to IFRAME Injections. GET should only retrieve data not modify it or modify the server state.

"We will just remove the iframe injections"

There are multiple ways to deliver State-Change GET Request and have the victim perform unexpected operations.

It can be carried out through the following methods:

DIVs:

<div style="background: url(http://localhost/admin/index.php?module=theme/themes&action=activate&theme=manny')"></div>

Email-based exploitation:

<img src="http://localhost/admin/index.php?module=theme/themes&action=activate&theme=manny" width="1" height="1" style="display:none">
  • Direct links shared in Slack, Discord, or other platforms.
  • URL previews that automatically fetch content.
  • Shortened URLs that mask the malicious endpoint
  • These can also be batched/chained to perform multiple simultaneous attacks.

Affected Version

  • Vvveb 1.0.7.2 Latest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment