help please

General technological topics without their own forum go here

help please

Post by KthProg on Thu Feb 07, 2013 2:32 pm
([msg=73546]see help please[/msg])

Say you had a textbox where you could type any html you wanted as long as you started it with " + and ended it with + " so that it will interpret your code separately, and it would be added to the page (the specific instance of the page that you're viewing anyways)

what would you type to get a list of files on the server?
what would you type in general if you wanted to glean information from your newfound ability to add any HTML to this site?

assuming the page is ASP and you could add any script too.

EDIT:
well it sends it through an ASP script which changes the HTML, so at some point it does go through the server,
Im just not sure when or how.

I know it occurs at line 24 ( i induced an error and it told me the filename of the script and which line there was an error on)
thanks for the tips.
Last edited by KthProg on Thu Feb 07, 2013 8:25 pm, edited 1 time in total.
User avatar
KthProg
Poster
Poster
 
Posts: 219
Joined: Wed Jan 23, 2013 7:06 pm
Blog: View Blog (0)


Re: help please

Post by 0phidian on Thu Feb 07, 2013 3:20 pm
([msg=73548]see Re: help please[/msg])

KthProg wrote:Say you had a textbox where you could type any html you wanted as long as you started it with " + and ended it with + " so that it will interpret your code separately, and it would be added to the page (the specific instance of the page that you're viewing anyways)

what would you type to get a list of files on the server?
what would you type in general if you wanted to glean information from your newfound ability to add any HTML to this site?

assuming the page is ASP and you could add any script too.


I'm pretty sure you can not get this kind information via an XSS attack. Javascript is client side so you would be attacking the people who veiw the page more than the server hosting it. These kinds of attacks are generally used to redirect users to a malicious server that will infect their computer, or for session hijacking.

If you want to know the code to do these things then start learning javascript.

-- Thu Feb 07, 2013 3:26 pm --

KthProg wrote:(the specific instance of the page that you're viewing anyways)

That would be essentially be the same thing as changing the code with firebug. That really does not help you if your the only one veiwing the page.
User avatar
0phidian
Poster
Poster
 
Posts: 241
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: help please

Post by centip3de on Thu Feb 07, 2013 5:25 pm
([msg=73551]see Re: help please[/msg])

KthProg wrote:Say you had a textbox where you could type any html you wanted as long as you started it with " + and ended it with + " so that it will interpret your code separately, and it would be added to the page (the specific instance of the page that you're viewing anyways)

what would you type to get a list of files on the server?


You can add any HTML you want to a page, just save it, and dress it up for yourself. You cannot, however, add HTML to a page that affects the server copy of it. As HTML is 100% client side, it's impossible for it to communicate with the server. Also, HTML is a very basic language (not sure about HTML5) and cannot access any file-system of any type at anytime.

KthProg wrote:what would you type in general if you wanted to glean information from your newfound ability to add any HTML to this site?


How the hell I was able to view server-side files using pure HTML.

KthProg wrote:assuming the page is ASP and you could add any script too.


This is an XSS injection, I'd suggest you look that up.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1408
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests