[nycphp-talk] wonderful presentation on Tuesday
csnyder
chsnyder at gmail.com
Thu Apr 26 17:08:36 EDT 2007
On 4/26/07, Rob Marscher <rmarscher at beaffinitive.com> wrote:
>
> How ever can someone inject their code/script onto my webpage? The code is
> on my server so they don't have access to it. Am I missing something here?
>
> If you allow the user to submit anything that is then displayed our your
> site, they can inject javascript code unless you do a very good job
> "sanitizing" the user input.
And the submission may not just be limited to $_GET and $_POST... many
of the $_SERVER vars can be problematic as well.
The example Chris gave about Google's old 404 page, where it echoed
the requested URI without escaping it first, could have been exploited
by sending the following link to someone. I don't remember the
mechanism exactly, but perhaps something like:
<a href="http://www.google.com/something/not/found/%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E">hey
victim, click here</a>
Given that link, if Google were to echo the value of
$_SERVER['SCRIPT_URL'] without escaping, it would inject
<script>alert('XSS');</script> into the page.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list