Jump to content

is this kind of misdirecting data possible?

Recommended Posts

Is there a way to prevent that a malicious person crafts a piece of code that changes the value of an action attribute?


Like when you have this line of html:

     <form method="post" name="register" action="<?php echo $_SERVER['PHP_SELF']; ?>">


but the attacker places the entire script on his own server.


Is this XSS? What are the consequences of gaining/finding protected data?


If this kind of attack is possible, can someone show with an example how this is done?

Link to post
Share on other sites

Changing the form's action would not be a threat to your server. Even if a hacker managed to change PHP_SELF it would only apply to his own computer. The only possible threat with this setup is if he could change the value of PHP_SELF for all the visitors on your site, then he could get information from your visitors submitted to his own site, which would be referred to as "phishing".



Either way, even though there are no security threats with this approach, there's no need to use PHP_SELF. An empty or nonexistent action attribute will submit to the same page on its own.

Link to post
Share on other sites

I take some time to read it.


I made functions before to filter out bad input; inserted with the <input> tag. But I have the feeling that that's not enough.

My idea is that it is possible to use other tags and attributes like <form action = 'misdirection_script.php'> .


(Sorry to ask but I'm a real noob in javascript and I feel a bit foolish to start with javascript and have 'hack' intentions )

Link to post
Share on other sites

ALL validation and sanitizing should be carried out primarily by SERVER-SIDE language such as PHP to strip harmful tags or convert to encoded characters. JavaScript validation is just to make user experience quicker instead of reloading page each time using PHP, but JavaScripts drawback is that it can be disabled and therefore bypassed.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...