Balderick Posted January 5, 2017 Share Posted January 5, 2017 Is there a way to prevent that a malicious person crafts a piece of code that changes the value of an action attribute? Like when you have this line of html: <form method="post" name="register" action="<?php echo $_SERVER['PHP_SELF']; ?>"> but the attacker places the entire script on his own server. Is this XSS? What are the consequences of gaining/finding protected data? If this kind of attack is possible, can someone show with an example how this is done? Link to comment Share on other sites More sharing options...
Ingolme Posted January 5, 2017 Share Posted January 5, 2017 Changing the form's action would not be a threat to your server. Even if a hacker managed to change PHP_SELF it would only apply to his own computer. The only possible threat with this setup is if he could change the value of PHP_SELF for all the visitors on your site, then he could get information from your visitors submitted to his own site, which would be referred to as "phishing". Either way, even though there are no security threats with this approach, there's no need to use PHP_SELF. An empty or nonexistent action attribute will submit to the same page on its own. Link to comment Share on other sites More sharing options...
dsonesuk Posted January 5, 2017 Share Posted January 5, 2017 Look under 'Big Note on PHP Form Security' at http://www.w3schools.com/php/php_form_validation.asp Link to comment Share on other sites More sharing options...
Balderick Posted January 6, 2017 Author Share Posted January 6, 2017 I take some time to read it. I made functions before to filter out bad input; inserted with the <input> tag. But I have the feeling that that's not enough. My idea is that it is possible to use other tags and attributes like <form action = 'misdirection_script.php'> . (Sorry to ask but I'm a real noob in javascript and I feel a bit foolish to start with javascript and have 'hack' intentions ) Link to comment Share on other sites More sharing options...
dsonesuk Posted January 6, 2017 Share Posted January 6, 2017 ALL validation and sanitizing should be carried out primarily by SERVER-SIDE language such as PHP to strip harmful tags or convert to encoded characters. JavaScript validation is just to make user experience quicker instead of reloading page each time using PHP, but JavaScripts drawback is that it can be disabled and therefore bypassed. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now