XSS in URI on page without input

Question

XSS in URI on page without input

Is the XSS attack user-entered? I got these attacks:

'"--></style></script><script>alert(0x002357)</script>

when scanning a php page without html content using acunetix or netsparker.

Thanks in advance

+3

security php xss

Theone Feb 23 '11 at 10:45

source share

4 answers

Zed · Answer 1 · 2011-02-23T13:50:27+0000

, HTML - , SQL HTML , URI. URI , escape- - google escape-, , . - google for log injection. , , , - - , URI.

Andreas Gohr · Answer 2 · 2011-02-23T12:33:12+0000

100%, . , , - XSS, , , .

XSS : , , .

, , , , (, - ). , , .

dr. evil · Answer 3 · 2011-02-24T08:15:21+0000

Blackbox , html - , , ), , PHP_SELF .

DOM Based XSS, , XSS - .

, , , , .

-, , JS, , javascript URL Rewrite (, ) - .

Tim · Answer 4 · 2011-02-23T10:48:58+0000

Where did you find this XSS? As far as I know, if the page does not accept any user input (process / display), it cannot be vulnerable to XSS.

Edit:

I think I misunderstood your question - did you mean if XSS can occur by entering Javascript in the address bar of the browser? Or adding Javascript to the URI? If the latter, then the page is susceptible to XSS, and you should use the whitelist for any variables passed to your URI. If the first, and then not, any changes on the client side in the address bar will be visible to only one user.

XSS in URI on page without input

More articles: