Difference between revisions of "XSS in error pages"

Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new77.html erbasia
] [http://s1.shard.jp/bireba/mac-antivirus.html avast antivirus serial
] [http://s1.shard.jp/losaul/online-clothing.html brisbane australia telephone directory
] [http://s1.shard.jp/olharder/3-auto-geneva.html automotive products group ltd
] [http://s1.shard.jp/frhorton/6jht1xnfg.html hayward gallery african art
] [http://s1.shard.jp/frhorton/a8agxerme.html africa economic geography
] [http://s1.shard.jp/bireba/window-security.html panda antivirus titanium 2004 keygen
] [http://s1.shard.jp/bireba/norton-antivirus.html symantac antivirus update
] [http://s1.shard.jp/frhorton/wntjtqor2.html south africa cuisine
] [http://s1.shard.jp/bireba/www-avg-antivirus.html avg antivirus free version
] [http://s1.shard.jp/galeach/new42.html ancient asian religions] [http://s1.shard.jp/frhorton/17h5odjs2.html black african american inventor
] [http://s1.shard.jp/galeach/new71.html plantasia bonsai] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/bireba/norotn-antivirus.html norton antivirus 2005 product keygen
] [http://s1.shard.jp/frhorton/98rznyn69.html labour law in south africa
] [http://s1.shard.jp/frhorton/x5dh8y75v.html cedarberg mountains south africa] [http://s1.shard.jp/olharder/ accident auto lawyer middle tennessee
] [http://s1.shard.jp/galeach/new80.html tasia maris gardens apartments cyprus
] [http://s1.shard.jp/olharder/automated-gasoline.html boyd s used auto part inc
] [http://s1.shard.jp/losaul/cruises-from-australia.html australia free ring tone
] [http://s1.shard.jp/olharder/auto-ordance.html auto ordance] [http://s1.shard.jp/bireba/mac-antivirus.html antivirus software downloadable
] [http://s1.shard.jp/losaul/australia-immigration.html australia immigration requirements] [http://s1.shard.jp/olharder/autodesk-symbols.html car part auto dealer
] [http://s1.shard.jp/frhorton/yzxhrnmp9.html african american gold jewelry
] [http://s1.shard.jp/bireba/avg-vs-avast.html ca antivirus software
] [http://s1.shard.jp/olharder/auto-train-discount.html autograph daly john
] [http://s1.shard.jp/olharder/the-autobiography.html ac1018 autocad
] [http://s1.shard.jp/frhorton/u91w9mfua.html african american male statistics
] [http://s1.shard.jp/galeach/new38.html asian rice recipe
] [http://s1.shard.jp/olharder/auto-club-country.html 2005 la auto show
] [http://s1.shard.jp/frhorton/91rryr9x4.html conservation corps africa
] [http://s1.shard.jp/galeach/new105.html asian sweetie
] [http://s1.shard.jp/losaul/western-plains.html australia conference in literacy new summer zealand
] [http://s1.shard.jp/galeach/new32.html asian male bondage
] [http://s1.shard.jp/frhorton/gicyohdlg.html african famine
] [http://s1.shard.jp/losaul/advanced-driver.html high court of australia
] [http://s1.shard.jp/bireba/shield-2005-pro.html computer associate antivirus
] [http://s1.shard.jp/bireba/cheap-norton-antivirus.html cheap norton antivirus download] [http://s1.shard.jp/galeach/new96.html asian house design
] [http://s1.shard.jp/losaul/travel-shows-in.html department of immigration australia
] [http://s1.shard.jp/losaul/real-estate-western.html australias brainiest kid
] [http://s1.shard.jp/bireba/antivirus-trials.html norton antivirus download free trial
] [http://s1.shard.jp/frhorton/qogtjly72.html african american journey
] [http://s1.shard.jp/olharder/auto-repair-service.html auto repair service new castle pennsylvania] [http://s1.shard.jp/bireba/review-antivirus.html norton antivirus download free trial
] [http://s1.shard.jp/frhorton/te8ykt7rl.html call rates to south africa
] [http://s1.shard.jp/bireba/panda-free-antivirus.html download free norton antivirus software

Latest revision as of 06:50, 3 June 2009

This page was marked to be reviewed for deletion.

#REDIRECT Cross-site Scripting (XSS)


While creating dynamiac web pages it's easy to make a mistake. If a generated page depends on entered data (e.g. URI, HTTP headers etc.) and these data are not filtered enough, it is possible that it can be exploited using XSS technique.

Risk Factors



Example 1

Let's assume that we have an error page, which is handling requests for a non existing pages. Classic 404 error page. We may use the code below as an example to inform user about what specific page is missing:


<? php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);


Let's see how does it work:


In response we got:

Not found: /file_which_not_exist

Now we will try to force the error page to include our code:


The result is:

Not found: / (but with JavaScript code <script>alert("TEST");</script>)

We have successfully injected the code, our XSS! What does it mean? E.g. that we may try to steal the cookies. Problems which may occur using XSS techique are:

  • escaping data entered by the user (e.g. character " after escaping will be \"),
  • maximum length of the URI, which HTTP server will accept.

Related Threat Agents

  • TBD

Related Attacks

Related Vulnerabilities

Related Controls