Jump to content

is this kind of misdirecting data possible?


Balderick

Recommended Posts

Is there a way to prevent that a malicious person crafts a piece of code that changes the value of an action attribute?

 

Like when you have this line of html:

     <form method="post" name="register" action="<?php echo $_SERVER['PHP_SELF']; ?>">

 

but the attacker places the entire script on his own server.

 

Is this XSS? What are the consequences of gaining/finding protected data?

 

If this kind of attack is possible, can someone show with an example how this is done?

Link to comment
Share on other sites

Changing the form's action would not be a threat to your server. Even if a hacker managed to change PHP_SELF it would only apply to his own computer. The only possible threat with this setup is if he could change the value of PHP_SELF for all the visitors on your site, then he could get information from your visitors submitted to his own site, which would be referred to as "phishing".

 

 

Either way, even though there are no security threats with this approach, there's no need to use PHP_SELF. An empty or nonexistent action attribute will submit to the same page on its own.

Link to comment
Share on other sites

I take some time to read it.

 

I made functions before to filter out bad input; inserted with the <input> tag. But I have the feeling that that's not enough.

My idea is that it is possible to use other tags and attributes like <form action = 'misdirection_script.php'> .

 

(Sorry to ask but I'm a real noob in javascript and I feel a bit foolish to start with javascript and have 'hack' intentions )

Link to comment
Share on other sites

ALL validation and sanitizing should be carried out primarily by SERVER-SIDE language such as PHP to strip harmful tags or convert to encoded characters. JavaScript validation is just to make user experience quicker instead of reloading page each time using PHP, but JavaScripts drawback is that it can be disabled and therefore bypassed.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...