XSS in error pages

Revision as of 16:40, 24 October 2007 by Rezos (Talk | contribs)

Jump to: navigation, search
This is an Attack. To view all attacks, please see the Attack Category page.


During creating dynamiac web pages it's easy to make a mistake. If generated page depends on entered data (e.g. URI, HTTP headers etc.) and these data are not filtered enough it is possible that it can be exploited using XSS technique.


Example 1

Let's assume that we have an error page, which is handling requests for a non existing pages. Classic 404 error page. We may use the code below as an example to inform user about what specific page is missing:


<? php
print "Not found: " . urldecode($_SERVER["REQUEST_URI"]);


Let's see how does it work:


In response we got:

Not found: /file_which_not_exist

Now we will try to force the error page to include our code:


The result is:

Not found: / (but with JavaScript code <script>alert("TEST");</script>)

We have successfully injected the code, our XSS! What does it mean? E.g. that we may try to steal the cookies. Problems which may occur using XSS techique are:

  • escaping data entered by the user (e.g. character " after escaping will be \"),
  • maximum length of the URI, which HTTP server will accept.

Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures