WebApp Sec mailing list archives
XSS help
From: "Serg B." <serg () dodo com au>
Date: Mon, 09 Aug 2004 23:12:34 +1000
Hi All, I am testing a site and came across a scenario where there is a login form displayed on front page with a form heading that is displayed by being passed in, from GET variable by appending it to the URL. E.g.: www.mydomain.com/form.php?var=Welcvome+To... So obvious first thing was to fiddle around with some JS and I was able to successfully pass in: var=<script>alert(document.cookie)</script> (JavaScript) classic XSS, if there is such a thing. So this leads me to the next thought. Is it at all possible to execute an arbitrary server side code on the server via this bug? E.g.: www.mydomain.com/form.php?var=<?php echo 'test' ?> This was unsuccessful since quotes (both ' and ") got escaped. I then tried: www.mydomain.com/form.php?var=<?php echo 1 ?> Which echoed everything, PHP tags, code, etc (from looking at page source). I also tried to wrap all of this business in JS escape function with no luck. So the question is how I could run PHP (not JavaScript, since that was covered in numerous papers and presentations...) from what I found. Thanx, Serg
Current thread:
- XSS help Serg B. (Aug 09)
- Re: XSS help Dan Daggett (Aug 09)
- Re: XSS help David Precious (Aug 09)
- RE: XSS help Mike Andrews (Aug 09)
- Re: XSS help Serg B. (Aug 09)
- RE: XSS help Matt Szubrycht (Aug 09)
- Re: XSS help Blake Schneider (Aug 13)
- unsubsribe Riccardo Tempesta (Aug 17)
- <Possible follow-ups>
- Re: XSS help focus (Aug 09)