469,591 Members | 2,068 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,591 developers. It's quick & easy.

Cross-Site Scripting basic sample

Hi!

I just read in "Writing Secure Code" book a chapter about Cross-Site
Scripting.
Here the relevant paragraph:

This is bad because a malicious user could access another's important
data, such as their cookies.
I bet you've seen ASP code like this before:
Hello,  
<%
Response.Write(Request.Querystring("name"))
%>

This code will write out to the browser whatever is in the name field
in the querystring, for example:
www.hexair-sample-13.com/req.asp?name=Blake

So, that seems fine and secure, but what if an attacker can convince a
user to click on this link, for example on a Web page, a newsgroup or
an e-mail message? That doesn't seem like a big deal, until you
realize that an attacker could have the unsuspecting user click on
this link:
<a href=www.hexair-sample-13.com/req/asp?name=scriptcode>Click here to
win $1,000,000</a>

My question is:

Suppouse I have the following code which I want to put in "scriptcode"
variable.
<script>x=document.cookie; alert(x); </script></scriptcode>

I created the HTML page as follows:

<HTML>
<BODY>
<a href=http://localhost/Sec/sample.asp?name=scriptcode> Click
Here</a>
</BODY>
</HTML>
Where and how I put my scriptcode ?
All this just for educational reasons...

Thanks a lot !
Jul 19 '05 #1
0 1570

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by rollasoc | last post: by
3 posts views Thread by jlamanna | last post: by
1 post views Thread by Rob Woodworth | last post: by
6 posts views Thread by Robert Bravery | last post: by
7 posts views Thread by Charles | last post: by
4 posts views Thread by guiromero | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.