473,232 Members | 1,647 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,232 software developers and data experts.

Cross-Site Scripting basic sample

Hi!

I just read in "Writing Secure Code" book a chapter about Cross-Site
Scripting.
Here the relevant paragraph:

This is bad because a malicious user could access another's important
data, such as their cookies.
I bet you've seen ASP code like this before:
Hello,  
<%
Response.Write(Request.Querystring("name"))
%>

This code will write out to the browser whatever is in the name field
in the querystring, for example:
www.hexair-sample-13.com/req.asp?name=Blake

So, that seems fine and secure, but what if an attacker can convince a
user to click on this link, for example on a Web page, a newsgroup or
an e-mail message? That doesn't seem like a big deal, until you
realize that an attacker could have the unsuspecting user click on
this link:
<a href=www.hexair-sample-13.com/req/asp?name=scriptcode>Click here to
win $1,000,000</a>

My question is:

Suppouse I have the following code which I want to put in "scriptcode"
variable.
<script>x=document.cookie; alert(x); </script></scriptcode>

I created the HTML page as follows:

<HTML>
<BODY>
<a href=http://localhost/Sec/sample.asp?name=scriptcode> Click
Here</a>
</BODY>
</HTML>
Where and how I put my scriptcode ?
All this just for educational reasons...

Thanks a lot !
Jul 19 '05 #1
0 1695

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
by: * ProteanThread * | last post by:
but depends upon the clique: ...
3
by: rollasoc | last post by:
Hi, Doing a bit of system testing on a Windows 98 laptop. (.Net 1.1 app). Did a bit of testing. Loaded a previously saved file. A gray box appeared with the text and buttons all white...
4
by: David Peach | last post by:
Hello, hope somebody here can help me... I have a query that lists defects recorded in a user defined date range. That query is then used as the source for a Cross Tab query that cross-tabs count...
23
by: Jeff Rodriguez | last post by:
Here's what I want do: Have a main daemon which starts up several threads in a Boss-Queue structure. From those threads, I want them all to sit and watch a queue. Once an entry goes into the...
8
by: Pieter | last post by:
Hi, I'm having some weird problem using the BackGroundWorker in an Outlook (2003) Add-In, with VB.NET 2005: I'm using the BackGroundWorker to get the info of some mailitems, and after each item...
3
by: jlamanna | last post by:
I was wondering if there was a utility that could tell you when your C# application is making cross-apartment COM calls. I have a fairly large application that makes extensive use of a 3rd party...
1
by: Rob Woodworth | last post by:
Hi, I'm having serious problems getting my report to work. I need to generate a timesheet report which will contain info for one employee between certain dates (one week's worth of dates). I...
6
by: Robert Bravery | last post by:
Hi all, Can some one show me how to achieve a cross product of arrays. So that if I had two arrays (could be any number) with three elements in each (once again could be any number) I would get:...
7
by: Charles | last post by:
I'd like to develop a simple cross-platform application in C++. I'd like it to run in Windows, OS X, PC-BSD and Linux. From my research, it seems I should use Qt or Gtk as a graphical library. Do...
6
by: Simon | last post by:
Hi All, An experiment i'm doing requires requires a synchronous cross-domain request, without using a proxy. I wondered if anyone had any ideas to help me achieve this. Below is what I have...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.