Test the security of your browser
2 posts • Page 1 of 1
Test the security of your browser
by jake1234hi on Mon Dec 31, 2012 8:18 pm
([msg=71926]see Test the security of your browser[/msg])
[script]alert("test")[/script]
- jake1234hi
- New User
- Posts: 3
- Joined: Mon Dec 31, 2012 8:12 pm
- Blog: View Blog (0)
Re: Test the security of your browser
by fashizzlepop on Mon Dec 31, 2012 10:28 pm
([msg=71927]see Re: Test the security of your browser[/msg])
This doesn't really test the security of your browser. This just tests the security of the forums. This is XSS and is a common vulnerability (even on Facebook!) in web applications.
This attack you just posed here is *very* basic but is always a good way to test the filters being used on user input.
Short story: In high school, a friend of mine created a simple website that allowed kids to input their class schedule and cross reference it with others to see who else had a class with them. He shared the link on Facebook and many kids from the school tried it out. It worked well but was extremely basic, with no CSS or anything. I decided it'd be fun to check to see if he filtered input. First I entered this exact script into the Name field and then I entered a few classes I had and a few I knew others had. Soon enough most searches would show this alert pop up. I decided to get cocky and I made a rather lengthy message in the alert but the user input was cut off so the ending </script> tag was left out effectively breaking his whole site whenever one of my classes was matched to another kid. He flushed his data and the site worked again but he never fixed the filters. So I broke it again.
TL;DR: ALWAYS sanitize user input! NEVER trust the USER!
This attack you just posed here is *very* basic but is always a good way to test the filters being used on user input.
Short story: In high school, a friend of mine created a simple website that allowed kids to input their class schedule and cross reference it with others to see who else had a class with them. He shared the link on Facebook and many kids from the school tried it out. It worked well but was extremely basic, with no CSS or anything. I decided it'd be fun to check to see if he filtered input. First I entered this exact script into the Name field and then I entered a few classes I had and a few I knew others had. Soon enough most searches would show this alert pop up. I decided to get cocky and I made a rather lengthy message in the alert but the user input was cut off so the ending </script> tag was left out effectively breaking his whole site whenever one of my classes was matched to another kid. He flushed his data and the site worked again but he never fixed the filters. So I broke it again.
TL;DR: ALWAYS sanitize user input! NEVER trust the USER!
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
-
fashizzlepop - Developer
- Posts: 2303
- Joined: Sat May 24, 2008 1:20 pm
- Blog: View Blog (0)
2 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests