Difference between revisions of "XSS in error pages"

From OWASP
Jump to: navigation, search
Line 67: Line 67:
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==
 
* [[XSS Attacks]]
 
* [[XSS Attacks]]
* [[Category:Injection Attack]]
+
* [[:Category:Injection Attack]]
 
* [[Invoking untrusted mobile code]]
 
* [[Invoking untrusted mobile code]]
  
Line 74: Line 74:
  
 
==Related [[Controls]]==
 
==Related [[Controls]]==
* [[Category:Input Validation]]
+
* [[:Category:Input Validation Control]]
 
* [[HTML Entity Encoding]]
 
* [[HTML Entity Encoding]]
  

Revision as of 13:24, 27 October 2008

This is an Attack. To view all attacks, please see the Attack Category page.



This page was marked to be reviewed for deletion.


#REDIRECT Cross-site Scripting (XSS)



ASDR Table of Contents

Contents


Description

While creating dynamiac web pages it's easy to make a mistake. If a generated page depends on entered data (e.g. URI, HTTP headers etc.) and these data are not filtered enough, it is possible that it can be exploited using XSS technique.

Risk Factors

TBD


Examples

Example 1

Let's assume that we have an error page, which is handling requests for a non existing pages. Classic 404 error page. We may use the code below as an example to inform user about what specific page is missing:

<html>
<body>

<? php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);
?>

</body>
</html>

Let's see how does it work:

http://testsite.test/file_which_not_exist

In response we got:

Not found: /file_which_not_exist

Now we will try to force the error page to include our code:

http://testsite.test/<script>alert("TEST");</script>

The result is:

Not found: / (but with JavaScript code <script>alert("TEST");</script>)

We have successfully injected the code, our XSS! What does it mean? E.g. that we may try to steal the cookies. Problems which may occur using XSS techique are:

  • escaping data entered by the user (e.g. character " after escaping will be \"),
  • maximum length of the URI, which HTTP server will accept.

Related Threat Agents

  • TBD

Related Attacks

Related Vulnerabilities

Related Controls