Re: strange requests sent to my WWW
- From: Scott W Gifford <gifford@xxxxxxxxx>
- Date: Thu, 13 Apr 2006 10:20:45 -0400
piotr_sobolewski@xxxxxxxxxxxxxxx writes:
Scott W Gifford wrote:
[...]
On another note, though your script is safe from that attack, you may
be vulnerable to a less severe cross-site scripting attack, and should
really escape any HTML that happens to be in $goto.
Why? Any HTML code somebody puts in $goto will be interpreted on the local
machine of the guy who sent the request.
Right, that's a cross-site scripting attack:
http://www.cgisecurity.com/articles/xss-faq.shtml
Putting clever HTML in there makes it possible to steal from the
client any cookies you've set on your site if they visit a link, trick
somebody who trusts your site into viewing the attacker's page
thinking it's yours, or leverage any special trust somebody has in
your site (for example if a client has allowed it to install code,
show popups, run ActiveX, etc.).
----Scott.
.
- Follow-Ups:
- Re: strange requests sent to my WWW
- From: Sebastian Gottschalk
- Re: strange requests sent to my WWW
- References:
- strange requests sent to my WWW
- From: piotr_sobolewski
- Re: strange requests sent to my WWW
- From: Scott W Gifford
- Re: strange requests sent to my WWW
- From: piotr_sobolewski
- strange requests sent to my WWW
- Prev by Date: Re: strange requests sent to my WWW
- Next by Date: Re: strange requests sent to my WWW
- Previous by thread: Re: strange requests sent to my WWW
- Next by thread: Re: strange requests sent to my WWW
- Index(es):
Relevant Pages
|
