471,887 Members | 1,460 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,887 software developers and data experts.

Cross-Site Scripting basic sample


I just read in "Writing Secure Code" book a chapter about Cross-Site
Here the relevant paragraph:

This is bad because a malicious user could access another's important
data, such as their cookies.
I bet you've seen ASP code like this before:

This code will write out to the browser whatever is in the name field
in the querystring, for example:

So, that seems fine and secure, but what if an attacker can convince a
user to click on this link, for example on a Web page, a newsgroup or
an e-mail message? That doesn't seem like a big deal, until you
realize that an attacker could have the unsuspecting user click on
this link:
<a href=www.hexair-sample-13.com/req/asp?name=scriptcode>Click here to
win $1,000,000</a>

My question is:

Suppouse I have the following code which I want to put in "scriptcode"
<script>x=document.cookie; alert(x); </script></scriptcode>

I created the HTML page as follows:

<a href=http://localhost/Sec/sample.asp?name=scriptcode> Click
Where and how I put my scriptcode ?
All this just for educational reasons...

Thanks a lot !
Jul 19 '05 #1
0 1608

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by rollasoc | last post: by
3 posts views Thread by jlamanna | last post: by
1 post views Thread by Rob Woodworth | last post: by
6 posts views Thread by Robert Bravery | last post: by
7 posts views Thread by Charles | last post: by
reply views Thread by YellowAndGreen | last post: by
reply views Thread by zermasroor | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.