Reputation: 3816
Secure URL/application
I was reading this article
http://msdn.microsoft.com/en-us/magazine/hh708755.aspx
related to securing Asp.net Application, but one thing i am not able to understand like i am browing url http://www.abc.com/XSS.aspx?test=ok and if i replace it with http://www.abc.com/XSS.aspx?test=alert('hacked')... how the site is not safe or hacked?The point i am trying to make here is that it is not impacting or affecting the site?
The example i have mentioned above, is mentioned at many places whereever it discusses security,but didn't understand
Upvotes: 0
Views: 1005
Answers (1)
Reputation: 2408
Just imagine this if you are going to output the value of "test"(without escaping it properly for html usage) on your html page then one could possibly inject any javascript on your page !! Some possible exploits could be changing the background to something obscene or even redirecting your page to some scam websites .. in effect making you accessory to fraud of somekind !!
ALWAYS USE PROPER ESCAPING FOR STORING OR USING USER SUBMITTED INFORMATION!!
Edit: The escaping I am talking about will be useful so that people dont inject html or JS in your database. This would eventually lead to every user getting the injected HTML/JS (if the injected variable is same for everyone) on their page .. not just the user who injected it !!
Upvotes: 1
Related Questions
- How to prevent our URL from Cross-site scripting (XSS)?
- Choosing a way of escaping JavaScript in ASP.NET
- Preventing XSS in user URL input
- Ways to insert javascript into URL?
- Server Side JavaScript Code Injection Attack
- XSS protection with URL encode
- Secure way of inserting dynamic values in external JavaScript files
- Cross Site Scripting Through URL
- Javascript injection Prevention: where do I start?
- Prevent Javascript in URL attacks (asp.net)