> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/web-appsec/features-abuse/commenting.md).
# Commenting
IDOR Posting comments impersonating some other users.
* [ ] Change the email of th request to registered email in target
* [ ] Change email to un registered email in the target and then register with it
* [ ] Change the ID one number or the whole id with another user ID
DOM Clobbering
We can therefore cause the JavaScript references to return an empty object using the following technique:
```python
![]()
![]()
![]()
```
Which now returns the following output in our console: Uncaught TypeError: `document.getElementById is not a function at ….`
assuming an application uses a BBcode tag to publish image:
```python
[img width="100" height="50"]
Which is interpreted in the browser as follows:
We can take advantage of DOM clobbering like this:
[img width="100" id=”getElementById” height="50"]\\/images/lubeck_small.jpg\\[/img]
We have now effectively clobbered the DOM in the web application, which may
result in the breakdown of functionality and in some cases cause the browser to
become unresponsive
```
Markup Language? try Create A picture that steals Data
```python
Go to
choose invisible image
send the comment
```
IDOR to Read any other's comments
1. Search for any fields/forms that you cant see others comments
2. Analyze the traffic
3. change identifier to user B and u can see user b comments
Race Condition
1. Unlimited Comments on a thread
2. Suppose a user can comment only once, try race conditions here to see if multiple comments are possible.
Privilege Escalation
* Suppose there is an option: comment by the verified user (or some privileged user) try to tamper with various parameters in order to see if you can do this activity.
Thread Comment Functionality Testing
* [ ] Unlimited Comments on a thread
* [ ] Suppose a user can comment only once, try race conditions here to see if multiple comments are possible.
* [ ] Suppose there is an option: comment by the verified user (or some privileged user) try to tamper with various parameters in order to see if you can do this activity.
* [ ] Try posting comments impersonating some other users.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://sec88.0x88.online/web-appsec/features-abuse/commenting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.