Re: Preventing XSS Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
> Ashley Sheridan wrote:
> > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
> >   
> >>> I've been doing a bit of reading, and I can't really understand why XSS
> >>> is such an issue. Sure, if a user can insert a <script> tag, what
> >>> difference will that make to anyone else, as it is only on their own
> >>> browser.
> >>>   
> >>>       
> >> 1. User 1 logs on to the application. Fills up the form with malicious 
> >> JS code in it. The server accepts the input, is stored in the database.
> >> 2. User 2 logs on to the application. Goes to the view the information 
> >> stored in the database. The JS gets executed on user 2's browser. User 
> >> is attacked by XSS.
> >>
> >> I hope that clarifies the question.
> >>
> >>
> >>     
> > It does to a degree. So I shouldn't really worry about it in this case,
> > as input from one user will never be displayed to any other user. If it
> > was a forum or something, it would, but the search string is only ever
> > shown to the user who entered it, and never stored for later display.
> >
> >   
> It is easy to slip by. I recall a website was hacked using XSS on the 
> page the admin views the log entries. Just in case, you or somebody else 
> tries to add the search log feature in the future, keep this at the back 
> of your mind. Having the user to click on a harmful URI is ridiculously 
> easy.
> 
>  
> 
> 
> -- 
> 
> With warm regards,
> Sudheer. S
> Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net
> 
> 
Yeah, I never realised what a minefield it could be, but I've been doing
a lot of reading today!

Thanks
Ash
www.ashleysheridan.co.uk


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux