Security: App Security Controls - Paiet/Tech-Journal-for-Everything GitHub Wiki

Cross-Site Scripting (XSS) Example
- Example modified from http://www.thegeekstuff.com/2012/02/xss-attack-examples/

Page Contents:

    <?php
    $username = $_GET['username'];
    echo "<H1>Hello $username, welcome to ITProTV</H1><br><br>";
    echo "<a href='http://itpro.tv/'>Click here to continue to ITProTV</a>";
    ?>

Proper URL:

                http://127.0.0.1/index.php?username=Don

Attack URL:

        Download these show notes using the link above to see the
        full syntax

URL Substitution:

                http://127.0.0.1/index.php?username=<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://google.com/";}</script>

Input Validation:

    <?php
    $username = $_GET['username'];
    $username = htmlspecialchars($username);
    echo "<H1>Hello $username, welcome to ITProTV</H1><br><br>";
    echo "<a href='http://itpro.tv/'>Click here to continue to ITProTV</a>";
    ?>

    <?php
    $username = $_GET['username'];
    $username = preg_replace("/[^A-Za-z\- ]/", '', $username);
    echo "<H1>Hello $username, welcome to ITProTV</H1><br><br>";
    echo "<a href='http://itpro.tv/'>Click here to continue to ITProTV</a>";
    ?>

Security: App Security Controls - Paiet/Tech-Journal-for-Everything GitHub Wiki

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️