XSS

Discuss the many weaknesses of browser security and ways to mitigate the threat

XSS

Post by jadecook on Sun Dec 02, 2012 5:32 pm
([msg=71478]see XSS[/msg])

Alright, say for instance I am hacking a form. Not just any form, an email form! Fill out name, email, etc, and after pressing submit it says, "Thank you NAME!". So I think to myself, hmmm and type in "<b>NAME</b>" in the name field then press submit. Then it comes out "Thank you NAME!". So now I try "<script>alert("hello");</script>" in the name field and press submit but nothing shows up! I check the source and you can see in the source it says "<script>alert("hello");</script>".

Why is this?
User avatar
jadecook
Experienced User
Experienced User
 
Posts: 77
Joined: Fri Aug 17, 2012 2:20 pm
Blog: View Blog (0)


Re: XSS

Post by WallShadow on Sun Dec 02, 2012 5:43 pm
([msg=71480]see Re: XSS[/msg])

jadecook wrote:Alright, say for instance I am hacking a form. Not just any form, an email form! Fill out name, email, etc, and after pressing submit it says, "Thank you NAME!". So I think to myself, hmmm and type in "<b>NAME</b>" in the name field then press submit. Then it comes out "Thank you NAME!". So now I try "<script>alert("hello");</script>" in the name field and press submit but nothing shows up! I check the source and you can see in the source it says "<script>alert("hello");</script>".

Why is this?


If the script is there, but not being activated, it's possible that some program on your computer detected the XSS and prevented it from executing. I know some browsers and browser-plugins do do that.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 621
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: XSS

Post by 0phidian on Sun Dec 02, 2012 6:07 pm
([msg=71485]see Re: XSS[/msg])

Some sites allow a few tags like bold and italics but block others like script tags. In which case you would need to find a way around the filtering.
User avatar
0phidian
Poster
Poster
 
Posts: 270
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: XSS

Post by weekend hacker on Mon Dec 03, 2012 3:05 pm
([msg=71505]see Re: XSS[/msg])

^what they said
If its not escaping that part in the source then its probably your very own browser thats preventing it from being run(I for one use noscript, so most things are blocked unless if I give that site permission)
Also, if this is an email script, one other thing to look at besides XSS would be injecting newlines. Lookup how email headers look like, find out if perhaps you can alter them and maybe say.. send an email to 100 people instead of just 1.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
User avatar
weekend hacker
Administrator
Administrator
 
Posts: 192
Joined: Sun Apr 13, 2008 2:39 pm
Location: 127.0.0.1
Blog: View Blog (0)


Re: XSS

Post by WallShadow on Mon Dec 03, 2012 5:25 pm
([msg=71516]see Re: XSS[/msg])

weekend hacker wrote:Also, if this is an email script, one other thing to look at besides XSS would be injecting newlines. Lookup how email headers look like, find out if perhaps you can alter them and maybe say.. send an email to 100 people instead of just 1.

Image
User avatar
WallShadow
Contributor
Contributor
 
Posts: 621
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests