The concept of cross site scripting rang a bell inside me a long time ago. I was kind of wary about it and I even learnt to perform it. Hey I am not a hacker, dont start getting ideas already. Its just that I am curious and feel very happy to experiment stuffs the safe way as most of us prefer to do. Recently I came across a nice post about it in https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).
It was very informative and very useful. I am getting newer ideas even when I am typing this one down. All stuffs posted in the site are basic and clean, but opens up my mind to a lot of potentially harzardous methods, if employed by some one against my sites, would be a massacre.
By my thoughts some of the stuffs that bothers me about how XSS may affect us are
1.
<html>
<body>
<? php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);
?>
</body>
</html>
2.
http://testsite.test/<script>alert("TEST");</script>
3.<%...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
rs.next();
String name = rs.getString("name");
%>
Employee Name: <%= name %>
where name can be an XSS Hack
You can steal user session cookie etc.. and a lot more of such examples can be made
Most of the times when I am into serious mind wrecking program issues, all I would need was one loop hole, however small it may be, and I would fix the issues. I will just get what ever I want out of it.
All I did here was 10 minutes of thinking about what can I do with XSS. And I already got a lot of options.
Worst case, if I could understand a browser, which I definelty can if I spend a couple of months may be, I my self can do idiotic stuffs. So what can a full time hacker be capable of. Hope I dont get a cyber attack. This is scary
No comments:
Post a Comment