Title: Functionality Abuse Last modified: October 5, 2017 --- # Functionality Abuse * [quickanuj](https://wordpress.org/support/users/quickanuj/) * (@quickanuj) * [8 years, 7 months ago](https://wordpress.org/support/topic/functionality-abuse/) * Description: Abuse of Functionality is an attack technique that uses a web site’s own features and functionality to attack itself or others. Abuse of Functionality can be described as the abuse of an application’s intended functionality to perform an undesirable outcome. Proof of Concept: As a proof of concept let us take a article URL : [https://entertainmentblog.paytm.com/2017/03/16/mightier-grander-power-packed-baahubali-2-trailer-out/](https://entertainmentblog.paytm.com/2017/03/16/mightier-grander-power-packed-baahubali-2-trailer-out/) Below this article there is an option to react on this article with various options. People read the article and react on it and that also gives an impression of article for other people. The functionality “React” and “Unreact” can be repeated for “n” number of times for an article. When we react on above URL the HTTP request which goes is : POST /wp-admin/admin-ajax.php HTTP/1.1 Host: xxxxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept:/ Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: xxxxxxx Content-Length: 55 Cookie: Connection: close postid=1470&action=rns_react&reaction=love&unreact =false * With the help of Intruder we can replay this request (With Null Payload) for n number of times to increase a particular reaction for the article. * Similarly when we “unreact” to any article the HTTP request which goes is : POST /wp-admin/admin-ajax.php HTTP/1.1 Host: xxxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: / Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: xxxxx Content-Length: 55 Cookie: Connection: close postid=1470&action=rns_react&reaction=love&unreact=true * We can also intrude this with null payloads and can decrease any reaction on any article. It will be possible for an user to decrease/increase the reactions given by other people on any article. * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Ffunctionality-abuse%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ The topic ‘Functionality Abuse’ is closed to new replies. * ![](https://ps.w.org/react-and-share/assets/icon-256x256.png?rev=2141818) * [React & Share - Customizable Reaction Buttons](https://wordpress.org/plugins/react-and-share/) * [Frequently Asked Questions](https://wordpress.org/plugins/react-and-share/#faq) * [Support Threads](https://wordpress.org/support/plugin/react-and-share/) * [Active Topics](https://wordpress.org/support/plugin/react-and-share/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/react-and-share/unresolved/) * [Reviews](https://wordpress.org/support/plugin/react-and-share/reviews/) ## Tags * [security issue](https://wordpress.org/support/topic-tag/security-issue/) * 0 replies * 1 participant * Last reply from: [quickanuj](https://wordpress.org/support/users/quickanuj/) * Last activity: [8 years, 7 months ago](https://wordpress.org/support/topic/functionality-abuse/) * Status: not resolved