Alright, say for instance I am hacking a form. Not just any form, an email form! Fill out name, email, etc, and after pressing submit it says, "Thank you NAME!". So I think to myself, hmmm and type in "<b>NAME</b>" in the name field then press submit. Then it comes out "Thank you NAME!". So now I try "<script>alert("hello");</script>" in the name field and press submit but nothing shows up! I check the source and you can see in the source it says "<script>alert("hello");</script>".
Why is this?
XSS
5 posts • Page 1 of 1
Re: XSS
by WallShadow on Sun Dec 02, 2012 5:43 pm
([msg=71480]see Re: XSS[/msg])
jadecook wrote:Alright, say for instance I am hacking a form. Not just any form, an email form! Fill out name, email, etc, and after pressing submit it says, "Thank you NAME!". So I think to myself, hmmm and type in "<b>NAME</b>" in the name field then press submit. Then it comes out "Thank you NAME!". So now I try "<script>alert("hello");</script>" in the name field and press submit but nothing shows up! I check the source and you can see in the source it says "<script>alert("hello");</script>".
Why is this?
If the script is there, but not being activated, it's possible that some program on your computer detected the XSS and prevented it from executing. I know some browsers and browser-plugins do do that.
-
WallShadow - Contributor
- Posts: 535
- Joined: Tue Mar 06, 2012 9:37 pm
- Blog: View Blog (0)
Re: XSS
by 0phidian on Sun Dec 02, 2012 6:07 pm
([msg=71485]see Re: XSS[/msg])
Some sites allow a few tags like bold and italics but block others like script tags. In which case you would need to find a way around the filtering.
-
0phidian - Poster
- Posts: 170
- Joined: Sat Jun 16, 2012 7:04 pm
- Blog: View Blog (0)
Re: XSS
by weekend hacker on Mon Dec 03, 2012 3:05 pm
([msg=71505]see Re: XSS[/msg])
^what they said
If its not escaping that part in the source then its probably your very own browser thats preventing it from being run(I for one use noscript, so most things are blocked unless if I give that site permission)
Also, if this is an email script, one other thing to look at besides XSS would be injecting newlines. Lookup how email headers look like, find out if perhaps you can alter them and maybe say.. send an email to 100 people instead of just 1.
If its not escaping that part in the source then its probably your very own browser thats preventing it from being run(I for one use noscript, so most things are blocked unless if I give that site permission)
Also, if this is an email script, one other thing to look at besides XSS would be injecting newlines. Lookup how email headers look like, find out if perhaps you can alter them and maybe say.. send an email to 100 people instead of just 1.
<Yoda> if someone says something i don't like, i ban him, ban whoever defends him, and then ban the witnesses...
-
weekend hacker - Administrator
- Posts: 190
- Joined: Sun Apr 13, 2008 2:39 pm
- Location: 127.0.0.1
- Blog: View Blog (0)
Re: XSS
by WallShadow on Mon Dec 03, 2012 5:25 pm
([msg=71516]see Re: XSS[/msg])
weekend hacker wrote:Also, if this is an email script, one other thing to look at besides XSS would be injecting newlines. Lookup how email headers look like, find out if perhaps you can alter them and maybe say.. send an email to 100 people instead of just 1.
-
WallShadow - Contributor
- Posts: 535
- Joined: Tue Mar 06, 2012 9:37 pm
- Blog: View Blog (0)
5 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests