deadmoo wrote:This challenge is annoying. There are so many possible ways to filter/escape the input, how am I supposed to know which one i the "correct" answer?
// possibility one (this is the simplest one, but which of the 2 dozen applicable functions do I use)
$var = func1($var);
// possibility two
$var = func1(func2($var));
$var = func1(func2(func3($var)));
//possibility four (technically one line)
$var = func2($var); $var = func1($var);
Thats the only vulnerability that I can see too. I tried fixing it by replacing it with the static URL but that didn't work, and REQUEST_URI is no better. Any hints would be appreciated.McGregBB wrote:Am I right that the vulnerability lies in the form declaration where an xss exploit might be possible?
I-MrKnox-I wrote:Okay... I got it!
God, this was lame, but anyways...
I hope it is not to much of a spoiler - if so, feel free to edit!
There are many ways to sanitize PHP_SELF (assuming you all know this is the vuln) as you might know by now. However, most of the ways will sanitize a lot of "innocent" chars too. We do not want this to happen. Luckily there is an alternative which is very alike, but only sanitizes the most "dangerous" chars like '<', '>' and quotes. This is what we are looking for.
Users browsing this forum: No registered users and 0 guests