Michael Ruebner <nj**@lunchinglads.netwrites:
Joost Diepenmaat:
*If* that's true, then the input can be used as an XSS attack -
they'll just have to lure some unsuspecting victim to the
error/feedback page you created.
None of the returned values will ever be stored in a session (or make it
into the database), so I assume that hijacking and/or redirection will not
be an issue. Put another way around, if the attacker's browser will be the
only client to display rouge input, what's the harm to the rest of us?
vulnerable.php =<?php print ($_GET['print']); ?>
<a href="vulnerable.php?print=<script>alert(document. cookie)</script>">
Please follow this link</a>
The attacker is the person who creates the link (or form, if it's a
POST-based attack instead).
The victim is the person who gets tricked into clicking on it.
They don't need to be the same person.
Persistent XSS, where the value gets stored in the database and then
redisplayed, is *worse* than this because the victims just have to
look at the legitimate site, and the more that look, the worse it
gets. However, tricking someone into clicking on a link on a
relatively unrelated web page is not exactly difficult.
With most common web programming languages making it incredibly
difficult to avoid filling code with XSS bugs, it's not an easy thing
to ensure doesn't happen, but it's absolutely necessary.
http://www.cgisecurity.com/articles/xss-faq.shtml has a few more examples.
--
Chris