Why is "Full HTML" Input Format Dangerous?
10.13.2008
This is a comment I submitted on my localhost site, with full HTML allowed for anonymous users. The fact that "XSS" came up in an alert means I'm vulnerable to attack.
If you want your skin to crawl more, visit the XSS Cheatsheet, which offers a number of techniques for XSS attacks. If you're ever in doubt, no better test than to attempt to hack yourself.
| Attachment | Size |
|---|---|
| xss.gif | 8.39 KB |
Syndicate
Head Drupal Chef at:
Recent comments
- There are very old, and
21 hours 31 min ago - Hey, this looks great,
22 hours 41 min ago - Look at those cankles, I'd
2 days 3 hours ago - Thanks for the tutorial.
3 days 13 hours ago - At the end of the day, I
5 days 15 hours ago - Yes, I understand principles,
6 days 7 hours ago - I've never watched the MTV
6 days 19 hours ago - Surely a conservative should
6 days 19 hours ago - You can use WAMP (Windows
6 days 23 hours ago - What does "progressively
6 days 23 hours ago
Comments
alert("you've been
alert("you've been hacked")
--
hmm - didnt work :(
heh, won't comment on whether
heh, won't comment on whether it would have worked last time I audited this site's security.
haha :)
haha :)
Hi, scary isnt it? This is a
Hi, scary isnt it? This is a common problem and it usually happens to people who are uninformed. I think that MySpace got hacked like this. I sat through a seminar once and this was one of the topics on the agenda.
You can do SQL injection this too cant you?
anyway... cheerio - Im out to check how secure my sites are. ;)
Post new comment