Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / XSS (CSS) - Cross-site scripting, can anyone help explain it?

Author
Message
Fatal Berserker
14
Years of Service
User Offline
Joined: 2nd Jul 2010
Location:
Posted: 24th Nov 2010 18:46 Edited at: 24th Nov 2010 18:48
Link
Hey, i bashed my site into 'ZeroDayScan' and even though the report seems incomplete, it did tell me that i have a security risk.

For the purpose of learning how to fix it i will post the error:
"http://www.guildfreaks.com/List/index.php?type='"><script>alert(1)</script>"

Now all that does anyway is get info from the database, and other than mysql injection (which shouldnt be possible), i dont see how it really is a security risk.
But i did try anyway to crack it while i was at school, and i couldn't get anywhere.

Can anyone tell me why this is an error, and how i could crack it (so i can learn to defend from it).



Smoke me a kipper, ill be back for breakfast.

MMORPG -- Many Men Online Role Playing as Girls

G.I.R.L -- Guy In Real Life

Attachments

Login to view attachments
Back to top
Profile PM
Gencheff
14
Years of Service
User Offline
Joined: 12th Jun 2010
Location: UK by way of USSR
Posted: 24th Nov 2010 18:55 Edited at: 24th Nov 2010 18:56
Link
The usual risk is injecting unwanted HTML into your page ruining it's structure.Most of the time the attacker will aim for cookies to get user information and redirect to one of his scripts.

Another example is if you have let's say a comment page on your website and some user writes alert('Your page got screwed'); or something worse,like a redirect script to one of his sites or something.It's annoying,but there's a way to avoid it.

2 Options (probably more,but that's off-top).

1.Use strip_tags(); (PHP function , removes all html from $_POST[])
2.Use htmlentities(); (Recommended , makes all contents show up as plain text and no html will be executed)

Back to top
Profile PM Email
Fatal Berserker
14
Years of Service
User Offline
Joined: 2nd Jul 2010
Location:
Posted: 24th Nov 2010 19:02 Edited at: 24th Nov 2010 19:04
Link
@Gencheff, thanks mate.
I guess it only happens when i echo the get directly.
eg
echo $_GET['type'];
otherwise, i dont see how it could be inserted into the code?

if anyone wants to see my site fail atm i got a link here:

http://www.guildfreaks.com/List/index.php?type='%22%3E%3Cscript%3Ealert('THIS%20SITE%20IS%20FAKE%20AND%20GAY')%3C/script%3E

Its pretty interesting imo.

Smoke me a kipper, ill be back for breakfast.

MMORPG -- Many Men Online Role Playing as Girls

G.I.R.L -- Guy In Real Life
Back to top
Profile PM
Gencheff
14
Years of Service
User Offline
Joined: 12th Jun 2010
Location: UK by way of USSR
Posted: 24th Nov 2010 19:13
Link
If it's a $_GET[] then it's not much of a big deal,however don't leave $_GET[] open when accessing a DB.Use mysql_real_escape_string(); or something similar.

I'd say if you want to avoid this stuff,just go for this (rough draft) :



Doesn't necessarily have to be like this and if you are using PEAR,the code is a bit different,but you get the idea.

Back to top
Profile PM Email
Fatal Berserker
14
Years of Service
User Offline
Joined: 2nd Jul 2010
Location:
Posted: 24th Nov 2010 19:14
Link
other than post, what would it be if it is not get?

Smoke me a kipper, ill be back for breakfast.

MMORPG -- Many Men Online Role Playing as Girls

G.I.R.L -- Guy In Real Life
Back to top
Profile PM
Gencheff
14
Years of Service
User Offline
Joined: 12th Jun 2010
Location: UK by way of USSR
Posted: 24th Nov 2010 19:17
Link
That's pretty much it.

Back to top
Profile PM Email
Fatal Berserker
14
Years of Service
User Offline
Joined: 2nd Jul 2010
Location:
Posted: 24th Nov 2010 19:29
Link
ok thanks mate

Smoke me a kipper, ill be back for breakfast.

MMORPG -- Many Men Online Role Playing as Girls

G.I.R.L -- Guy In Real Life
Back to top
Profile PM
Back to top

Login to post a reply

Server time is: 2025-05-31 13:51:08
Your offset time is: 2025-05-31 13:51:08