Difference between revisions of "XSS in error pages"

Jump to: navigation, search
m (Categories)
Line 62: Line 62:

Revision as of 17:13, 4 November 2007

This is an Attack. To view all attacks, please see the Attack Category page.


During creating dynamiac web pages it's easy to make a mistake. If generated page depends on entered data (e.g. URI, HTTP headers etc.) and these data are not filtered enough it is possible that it can be exploited using XSS technique.


Example 1

Let's assume that we have an error page, which is handling requests for a non existing pages. Classic 404 error page. We may use the code below as an example to inform user about what specific page is missing:


<? php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);


Let's see how does it work:


In response we got:

Not found: /file_which_not_exist

Now we will try to force the error page to include our code:


The result is:

Not found: / (but with JavaScript code <script>alert("TEST");</script>)

We have successfully injected the code, our XSS! What does it mean? E.g. that we may try to steal the cookies. Problems which may occur using XSS techique are:

  • escaping data entered by the user (e.g. character " after escaping will be \"),
  • maximum length of the URI, which HTTP server will accept.

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures