Test the security of your browser

Discuss the many weaknesses of browser security and ways to mitigate the threat

Test the security of your browser

Post by jake1234hi on Mon Dec 31, 2012 8:18 pm
([msg=71926]see Test the security of your browser[/msg])

[script]alert("test")[/script]
jake1234hi
New User
New User
 
Posts: 3
Joined: Mon Dec 31, 2012 8:12 pm
Blog: View Blog (0)


Re: Test the security of your browser

Post by fashizzlepop on Mon Dec 31, 2012 10:28 pm
([msg=71927]see Re: Test the security of your browser[/msg])

This doesn't really test the security of your browser. This just tests the security of the forums. This is XSS and is a common vulnerability (even on Facebook!) in web applications.

This attack you just posed here is *very* basic but is always a good way to test the filters being used on user input.

Short story: In high school, a friend of mine created a simple website that allowed kids to input their class schedule and cross reference it with others to see who else had a class with them. He shared the link on Facebook and many kids from the school tried it out. It worked well but was extremely basic, with no CSS or anything. I decided it'd be fun to check to see if he filtered input. First I entered this exact script into the Name field and then I entered a few classes I had and a few I knew others had. Soon enough most searches would show this alert pop up. I decided to get cocky and I made a rather lengthy message in the alert but the user input was cut off so the ending </script> tag was left out effectively breaking his whole site whenever one of my classes was matched to another kid. He flushed his data and the site worked again but he never fixed the filters. So I broke it again. :P

TL;DR: ALWAYS sanitize user input! NEVER trust the USER!
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests

cron