Chapter 12  ■ Attacking Other Users

For example, consider the following URL, which returns the error message

shown in Figure 12-1:

https://wahh-app.com/error.php?message=Sorry%2c+an+error+occurred

Figure 12-1: A dynamically generated error message

Looking at the HTML source for the returned page, we can see that the

application is simply copying the value of the 

message

parameter in the URL

and inserting this into the error page template at the appropriate place:

Sorry, an error occurred.

This behavior of taking user-supplied input and inserting it into the HTML

of the server’s response is one of the signatures of XSS vulnerabilities, and if no

filtering or sanitization is being performed, then the application is certainly

vulnerable. Let’s see how.

The following URL has been crafted to replace the error message with a

piece of JavaScript that generates a pop-up dialog:

https://wahh-app.com/error.php?message=

Requesting this URL generates an HTML page that contains the following in

place of the original message:

And sure enough, when the page is rendered within the user’s browser, the

pop-up message appears, as shown in Figure 12-2.

Download 5,76 Mb.

Do'stlaringiz bilan baham: