I’ve been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that’s all.
What do I have to do for make it vulnerable?? (then I’ll learn what I shouldn’t do hehe)
Cheers.
Advertisement
Answer
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.
PHP example:
<!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form><input type="text" name="xss"><input type="submit"></form> <p>Result: <?= $_GET['xss'] ?></p> </body></html>JSP example:
<!doctype html><html lang="en"> <head><title>XSS test</title></head> <body> <form><input type="text" name="xss"><input type="submit"></form> <p>Result: ${param.xss}</p> </body></html>Alternatively you can redisplay the value in the input elements, that’s also often seen:
<input type="text" name="xss" value="<?= $_GET['xss'] ?>">resp.
<input type="text" name="xss" value="${param.xss}">This way “weird” attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as
<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by <, > and " so that enduser input doesn’t end up to be literally embedded in HTML source but instead just got displayed as it was entered.