Reputation: 1054
XSS: How is this safe?
I have following code:
echo "<span title='{$_GET["t"]}'>Foo</span>";
Obviously, this code is not XSS-Save, but when I call following URLs, no JavaScript is executed:
url?t=Foo" onclick="alert(1)"url?t=<script>alert(1);</script>
Is the browser doing some magic work here? Is there any attack vector?
Upvotes: 0
Views: 520
Answers (2)
Reputation: 36541
If you are trying to test if this is vulnerable, you need to end the single quote and close the tag, then add your javascript. Something like the following:
?t=xss'><script>alert('hi')</script><span
Upvotes: 3
Reputation: 360882
Why should it be? You'd be generating the following:
<span title='Foo" onclick="alert(1)"'>Foo</span><span title='<script>alert(1)</script>'>Foo</span>
Neither of which are valid html/javascript. The first one has mismatches in the quotes, so the tags are broken. The second one doesn't have javascript. it has a title attribute containing the characters <, s, c, etc... That's not javascript. It's just some TEXT that LOOKS like javascript.
To do XSS, whatever you inject HAS to produce valid code, otherwise it's just a syntax error for whatever environment you're injecting.
A working example would be:
http://example.com/script.php?t='><script>alert('1');</script><span+title='
which would generate
<span title=''><script>alert('1');</script><span title=''>Foo</span>
xxxxxxxxxxxxx0000000000000000000000000000000000000000000xxxxxxxxxxxx
Where x represents the original document, and 0 represents what you injected.
Upvotes: 8
Related Questions
- How can I prevent XSS with HTML/PHP?
- Prevent XSS attacks when echoing HTML using PHP
- How to protect against this type of attack?
- why is this xss not working
- Have I successfully prevented an XSS attack with this code?
- How risky is this xss exposure and how to make it safer
- Is my PHP code vulnerable to XSS?
- Why my code vulnerable to xss attack?
- Need to prevent XSS attacks?
- Preventing XSS with PHP