mikesta707 Posted November 10, 2009 Share Posted November 10, 2009 Ok, I kind of understand what they are. Cross site scripting attacks, and they involve malicious code and yada yada yada But at the same time, I have no clue what XSS attacks are. Anyone willing to explain them? or show me a site that explains them pretty well? you can't yada yada sex... Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/ Share on other sites More sharing options...
Daniel0 Posted November 10, 2009 Share Posted November 10, 2009 Essentially XSS involves injecting arbitrary Javascript that can be executed on the client into a webpage. This allows you to make requests pretending to be the client. Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955209 Share on other sites More sharing options...
mikesta707 Posted November 10, 2009 Author Share Posted November 10, 2009 I see, are these similar to javascript injections? are they the same thing? Or is the Javascript added to the page itself (in the source)? Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955215 Share on other sites More sharing options...
Maq Posted November 10, 2009 Share Posted November 10, 2009 Say you had a site that people could post comments on and you don't check for certain tags or entities. If I wrote a comment that included: <br /> window.location='http://www.google.com';<br /> Then every time a user saw my comment, assuming they have JS enabled, they would be redirected to Google. This is just a simple example, but you can imagine what sort damage you could do by executing certain code. Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955216 Share on other sites More sharing options...
gizmola Posted November 10, 2009 Share Posted November 10, 2009 It's right in the acronym, although the X is a bit tricky. Cross (X) Site (S) Scripting (S). Break it down: "Cross Site" I'm on your site, but somehow I ended up running code from another site. "Scripting" -- ie. it's javascript/clientside code that is executing. Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955220 Share on other sites More sharing options...
Daniel0 Posted November 10, 2009 Share Posted November 10, 2009 I see, are these similar to javascript injections? are they the same thing? Or is the Javascript added to the page itself (in the source)? It's the same thing. Really you could inject any HTML to an XSS vulnerable page, but injecting Javascript is the by far most common attack vector. Say for instance a login page was vulnerable. You could use XSS to harvest credentials by adding an onsubmit event to the form that submits the form data to an external script that logs it. You could also steal people's cookies unless they're set to HTTP only. Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955225 Share on other sites More sharing options...
mikesta707 Posted November 10, 2009 Author Share Posted November 10, 2009 Ah I understand. Apparently I did know what they were, but didn't realize what they were called. Thanks all Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955226 Share on other sites More sharing options...
cags Posted November 10, 2009 Share Posted November 10, 2009 I'd also suggest reading up abit on CSRF while your in the learning mood Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955229 Share on other sites More sharing options...
mikesta707 Posted November 10, 2009 Author Share Posted November 10, 2009 I am in a learning mood I guess thats what boredom at work does to you. Thanks! Link to comment https://forums.phpfreaks.com/topic/181038-xss-attacks/#findComment-955231 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.