chevron_left chevron_right
Login Register invert_colors photo_library


Upgrade your account to hide advertisements.

Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list XSS Question
Author
Message
XSS Question #1
Hey so i want to ask a question about XSS. I get XSS and the basic concept of it:

www.website.com/search.php?q=<script>alert(1)</script> <------ Okay, this injects javascript and brings up a alert box saying "1"

But my question is:

I was looking at this thing online and i saw this:

Code:
$ Let's say this is how a simple, unsecured search function looks like:

content of index.html

<html>
<head>
<title>Google</title>
</head>
 <body>
 
  <form method="get" action="search.php">
  Google:
  <input type="text" name="search" size="20" />
  <input type="submit" class="button" value="Submit" />
  </form>
 
</body>
</html>

Now, by looking at that HTML, how can you understand WHY it is vulnerable to XSS? what makes this HTML vulnerable compared to a secure one?

OR is it with the php (For example in the code above 'search.php' that would tell you?)

If that makes sense, i want to know HOW and WHY it works, not how to do it.

Reply

RE: XSS Question #2
148 views and no reply, damn ;(

Reply

RE: XSS Question #3
(08-12-2017, 07:28 AM)MJK72901 Wrote: 148 views and no reply, damn ;(
Lol maybe nobody saw your thread.
It depends on the page where your string is displayed (in your case it should be search.php)
The webserver puts your string on the web page and your browsers sees the html code and is like: "Hey, this is html code, I should execute it!"
Moast of the time you will not see if it's vulnrable or not by just looking at html.
The moast common prottection is using htmlspecialchars() function in php, but there are other methods.
OWASP has some good info on XSS and I suggest you look it up
(This post was last modified: 08-12-2017, 10:26 AM by Pikami. Edit Reason: Added info )
[Image: 9H83e18.png]

Reply

RE: XSS Question #4
Maybe you should learn how HTML and JS work before attempting to learn XSS. Just a thought.

Reply

RE: XSS Question #5
(08-12-2017, 11:47 AM)Anime! Wrote: Maybe you should learn how HTML and JS work before attempting to learn XSS. Just a thought.
^ This.
[Image: 9H83e18.png]

Reply

RE: XSS Question #6
Pikami explained it pretty well, I'll be nitpicking tho and say client side code will tell you if site is vulnerable if we're talking about DOM based xss https://www.owasp.org/index.php/DOM_Based_XSS. I strongly recommend you reading web application hackers handbook after learning how html and js work, it has great xss section.

Reply






Users browsing this thread: 1 Guest(s)