User Controls

This is pretty neat.

  1. #1
    Sophie Pedophile Tech Support
    Turn NoScript off if you have it on.

    http://www.uaevents.com/site/page.php?id=155&title=%3Cscript%3Ealert%28%22Sophie+is+a+Skid%22%29%3C%2Fscript%3E&Submit=Go


    Why the hell does this even work.
  2. #2
    Lanny Bird of Courage
    Chrome master race reporting in:



    But yeah, it's just a different flavor of injection attack. You (or the developer in this case) should never insert untrusted strings into your markup without sanitization, otherwise this will happen and you can hijack people's sessions.
  3. #3
    Sophie Pedophile Tech Support
    Chrome master race reporting in:



    But yeah, it's just a different flavor of injection attack. You (or the developer in this case) should never insert untrusted strings into your markup without sanitization, otherwise this will happen and you can hijack people's sessions.

    All your sessions are belong to me. So why do you think the developer failed to sanitize? Seems pretty silly not to.
  4. #4
    Lanny Bird of Courage
    Ehh, why does anyone make any mistake? The dev was probably just trying to implement something on a deadline and didn't think about it. There's also a cultural factor, pretty much everyone knows about SQL injection and even an entry level web dev would know that when you're manually concatenating SQL strings you're probably fucking something up. Awareness of XSS issues is not as thoroughly dispersed. It depends on the environment, in more modernized frameworks markup sanitization happens by default and you have to very intentionally declare your intention to sidestep it whereas probably a majority of PHP code, even today, has ad-hoc tooling rather than a well thought out communal approach you see in major frameworks. It's not a particularly complicated problem in concept but by the nature of the response pipeline managing strings end-to-end in a safe way takes a lot of machinery that it would be unusual to see done at all, much less done right, in a frameworkless PHP project.
    The following users say it would be alright if the author of this post didn't die in a fire!
  5. #5
    Sophie Pedophile Tech Support
    Ehh, why does anyone make any mistake? The dev was probably just trying to implement something on a deadline and didn't think about it. There's also a cultural factor, pretty much everyone knows about SQL injection and even an entry level web dev would know that when you're manually concatenating SQL strings you're probably fucking something up. Awareness of XSS issues is not as thoroughly dispersed. It depends on the environment, in more modernized frameworks markup sanitization happens by default and you have to very intentionally declare your intention to sidestep it whereas probably a majority of PHP code, even today, has ad-hoc tooling rather than a well thought out communal approach you see in major frameworks. It's not a particularly complicated problem in concept but by the nature of the response pipeline managing strings end-to-end in a safe way takes a lot of machinery that it would be unusual to see done at all, much less done right, in a frameworkless PHP project.

    Makes sense, thanks for the insight.
  6. #6
    Merlin Houston
    Does this present a risk to the owner/maintainer of the site or just the end user?
  7. #7
    Sophie Pedophile Tech Support
    Does this present a risk to the owner/maintainer of the site or just the end user?

    Both. If you're able to use XSS to hijack someone's session you can potentially gain unauthorized access to privacy sensitive information on both client and host.
  8. #8
    Reported
Jump to Top