Hello,
Say you have some javascript code where a user enters something in a field and that something, using the DOM, is entered directly into the page.
Could this be used for any kind of attack?
| SitePoint Sponsor |
Hello,
Say you have some javascript code where a user enters something in a field and that something, using the DOM, is entered directly into the page.
Could this be used for any kind of attack?
Try entering
into a field. Does an XSS alert box show?HTML Code:<sc ript>alert('XSS'); </scri pt>
If "No", then the answer is maybe.
To riff from the 10 immutable laws of security, when you place untrusted data directly into the web page, it is not your web page anymore.
Programming Group Advisor
Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
Car is to Carpet as Java is to JavaScript
Mittineague, that wouldn't show an alert, because that javascript should run onload, and when a user would enter such thing into the field the page would be loaded already.
But of course there would be other ways to make some javascript run on his own browser in that page, in the same way I can edit this page with firebug and make it do the exact same things.
Maybe I should clarify somehting. When I am saying "using the DOM, is entered directly into the page" I mean his own "instance" of the page which he has downloaded on his browser. Nothing is send back to the server.
So you tried it and didn't get an alert, or are you so convinced it won't you didn't try?
As long as your site doesn't use cookies or require a login, and isn't saving the input in a file or database, then the site should be relatively safe (I guess). But IMHO it's better to not take chances or develop bad habits.
I tried it but I wrote everything in one line because the input field is a single line input field.
The site uses cookies but not for anything critical. The only one who has a login is myself.
In that case, AFAIK, then if someone put XSS script into a page and left the computer, then the next person would only risk having non-critical information sent out. Or maybe a chance that a "click here" bait link might be clicked.
If that login is achieved through the web page then you are in danger.Originally Posted by Zoom123
It can be trivial for people to use code injection techniques to get through.
Programming Group Advisor
Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
Car is to Carpet as Java is to JavaScript
Anybody can insert anything in to the DOM in any page they are viewing.
Ain't that the truth!Anybody can insert anything in to the DOM in any page they are viewing.
If you're using a public computer that's displaying the logon page for something you use when you get there - reload that page!
Posting Permissions
Bookmarks