Reputation: 28500
Is it possible to XSS a query string?
Given the url:
http://www.example.com/abc?q1=foo&q2=<USER SUPPLIED>
Is this url attackable? (Assuming <USER SUPPLIED> is not output in the HTML document).
If this were printed to an href attribute, and was HTML encoded, but not URL or attribute encoded. What could an attacker do?
Upvotes: 2
Views: 4381
Answers (1)
Reputation: 679
If the "q2" value is used on the page at all, and it is not sanitazed anyhow (you are doing simple $_GET['q2'] to read the value), it is considered XSS. Even though it doesn't get printed anywhere on the page, it creates Reflected XSS. Attacker may insert anything instead of the parameter, and if it gets run, or even inserted into your database, he could for example catch your phpmyadmin session cookie, or do other harmless stuff dependant on how your page works with this value.
Upvotes: 2
Related Questions
- What characters must be escaped in an HTTP query string?
- Is it unsafe to use query strings in the url?
- is there any security issue if I send a path in a QueryString?
- Query string: Can a query string contain a URL that also contains query strings?
- Is JavaScript Injection possible if the URL is inserted into a JavaScript string?
- Bypassing query string validation (XSS prevention) in ASP.NET
- Query string in Html or javascript
- Querystring as part of url
- How to get QueryString from a href?
- How do I execute a query string contaning an unencoded url?