0

I was reading this article

http://msdn.microsoft.com/en-us/magazine/hh708755.aspx

related to securing Asp.net Application, but one thing i am not able to understand like i am browing url http://www.abc.com/XSS.aspx?test=ok and if i replace it with http://www.abc.com/XSS.aspx?test=alert('hacked')... how the site is not safe or hacked?The point i am trying to make here is that it is not impacting or affecting the site?

The example i have mentioned above, is mentioned at many places whereever it discusses security,but didn't understand

F11
  • 3,703
  • 12
  • 49
  • 83
  • This is more than just a _JavaScript_ problem, if _test's_ value is used to look up something, say in _SQL_, and it is not correctly sanitised, an attacker could do anything they want to your database; add/remove/delete/view, etc – Paul S. Aug 03 '13 at 12:25

1 Answers1

1

Just imagine this if you are going to output the value of "test"(without escaping it properly for html usage) on your html page then one could possibly inject any javascript on your page !! Some possible exploits could be changing the background to something obscene or even redirecting your page to some scam websites .. in effect making you accessory to fraud of somekind !!

ALWAYS USE PROPER ESCAPING FOR STORING OR USING USER SUBMITTED INFORMATION!!

Edit: The escaping I am talking about will be useful so that people dont inject html or JS in your database. This would eventually lead to every user getting the injected HTML/JS (if the injected variable is same for everyone) on their page .. not just the user who injected it !!

woofmeow
  • 2,370
  • 16
  • 13
  • Did it help you understand how it is dangerous @little ? – woofmeow Aug 03 '13 at 12:18
  • no i am not able to get your point,since JS is a client side language.If one changes it,it will impact the only user that is changing/hacking it.What proper escaping? – F11 Aug 03 '13 at 12:26
  • 1
    If the website contains sensitive data, then an attacker can use this to send it elsewhere, send the cookies for the current session elsewhere, or even perform actions "on behalf" of a user. If they really wanted, they could fake a username and password box, or make the user part of a distributed DoS attack using ajax requests, etc, etc, etc – Paul S. Aug 03 '13 at 12:26
  • 1
    @little edited answer to explain more : if you are going to store the variables in your database then a malicious user could possibly delete your databases using a drop statement (if you dont escape it). The escaping I am talking about will be useful so that people dont inject html or JS in your database. This would eventually lead to every user getting the injected HTML/JS (if the injected variable is same for everyone) on their page .. not just the user who injected it !! Did that help ? If it did feel free to upvote :) – woofmeow Aug 03 '13 at 13:06