[nycphp-talk] PHP Pentration Discussion
Jose Villegas
jv_nyphp at duikerbok.com
Sat May 28 11:46:36 EDT 2005
I guess my biggest question is, does this type of hack depend on the
user's information being stored in a database and displayed to other
users? Or is there another kind of vulnerability?
jose
On May 28, 2005, at 11:33 AM, inforequest wrote:
>
> I think Rasmus' example was a cross-site scripting example, not
> stealing cookies.
>
> The faulty web page was coded to build a form based on incoming
> parameters in the GET string. So Rasmus ADDED encoded stuff to that
> GET string, with a script from Rasmus' own website somewhere else.
> When the faulty page parsed the incoming GET it also followed Rasmus'
> added instructions, which loaded javascript from another webserver
> somewhere else.
>
> That other-site script could be a fake login that collects
> usernames/passwords. Easier than hacking cookies.
> ...
More information about the talk
mailing list