PHWinfo - Afficher un message

01/05/2008, 12h23

Michael Ruebner <njus@lunchinglads.net> writes:
> Joost Diepenmaat:
> > *If* that's true, then the input can be used as an XSS attack -
> > they'll just have to lure some unsuspecting victim to the
> > error/feedback page you created.
>
> None of the returned values will ever be stored in a session (or make it
> into the database), so I assume that hijacking and/or redirection will not
> be an issue. Put another way around, if the attacker's browser will be the
> only client to display rouge input, what's the harm to the rest of us?

vulnerable.php => <?php print ($_GET['print']); ?>

<a href="vulnerable.php?print=<script>alert(document. )</script>">
Please follow this link</a>

The attacker is the person who creates the link (or form, if it's a
POST-based attack instead).
The victim is the person who gets tricked into clicking on it.
They don't need to be the same person.

Persistent XSS, where the value gets stored in the database and then
redisplayed, is *worse* than this because the victims just have to
look at the legitimate site, and the more that look, the worse it
gets. However, tricking someone into clicking on a link on a
relatively unrelated web page is not exactly difficult.

With most common web programming languages making it incredibly
difficult to avoid filling code with XSS bugs, it's not an easy thing
to ensure doesn't happen, but it's absolutely necessary.

http://www.cgisecurity.com/articles/xss-faq.shtml has a few more examples.

--
Chris

01/05/2008, 12h23	#4
Chris Morris Messages: n/a Hébergeur:	Re: Form Reload with Tainted Values Michael Ruebner <njus@lunchinglads.net> writes: > Joost Diepenmaat: > > If that's true, then the input can be used as an XSS attack - > > they'll just have to lure some unsuspecting victim to the > > error/feedback page you created. > > None of the returned values will ever be stored in a session (or make it > into the database), so I assume that hijacking and/or redirection will not > be an issue. Put another way around, if the attacker's browser will be the > only client to display rouge input, what's the harm to the rest of us? vulnerable.php => <?php print ($_GET['print']); ?> <a href="vulnerable.php?print=<script>alert(document. )</script>"> Please follow this link</a> The attacker is the person who creates the link (or form, if it's a POST-based attack instead). The victim is the person who gets tricked into clicking on it. They don't need to be the same person. Persistent XSS, where the value gets stored in the database and then redisplayed, is worse than this because the victims just have to look at the legitimate site, and the more that look, the worse it gets. However, tricking someone into clicking on a link on a relatively unrelated web page is not exactly difficult. With most common web programming languages making it incredibly difficult to avoid filling code with XSS bugs, it's not an easy thing to ensure doesn't happen, but it's absolutely necessary. http://www.cgisecurity.com/articles/xss-faq.shtml has a few more examples. -- Chris