XSS exploit example?
Posted: Tue Dec 04, 2007 12:47 pm
Particular the type two variety...URL injection style I guess.
As I understand it, href can be exploited inside an anchor like so:
The $idx variable has been secured having been cast to an integer somewhere in the system. The $key however is a plaintext string representing first or last names. Because of names like O'Brien we do not addslashes (this is done already in the model to prevent SQLi) and so the server side is secured, however this opens a potential hole on the client side (XSS2) - or so I believed.
By not escaping/htmlspecialchars the the $key and allowing characters like single quote it's possible an attacker might try to hault normal href sequence.
I have tried to change the URL to inject javascript, but have not been successful with the above url starting with '?'
The worst I can see happening is the attacker being able to add other GET name=value pairs which should have no ill-effect on my the client. As for getting any javascript to execute...nothing.
So I ask, can someone show me how XSS exploits occur if the href is prefixed with a '?'
I can see in situations like below causing potential problems:
But once a expected character sets the tone for the URL I fail to see any exploits...so are URL's safe from XSS exploit if prefixed with a '?'
Cheers
As I understand it, href can be exploited inside an anchor like so:
Code: Select all
<a href="?idx=<?php echo $idx; ?>&key=<?php echo $key; ?>">This is a safe link click me</a>By not escaping/htmlspecialchars the the $key and allowing characters like single quote it's possible an attacker might try to hault normal href sequence.
Code: Select all
$key = "O'Brien"; // Expected inputCode: Select all
<a href="?index=<?php echo $idx; ?>&<?php echo $key; ?>">Safe Url Click Me</a>The worst I can see happening is the attacker being able to add other GET name=value pairs which should have no ill-effect on my the client. As for getting any javascript to execute...nothing.
So I ask, can someone show me how XSS exploits occur if the href is prefixed with a '?'
I can see in situations like below causing potential problems:
Code: Select all
<a href="<?php echo $_SERVER['PHP_SELF'] ?>?idx=$idx">Potential Problems</a>Cheers