|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 51
Members: 0
Total: 51
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
xss/html inclusion/remote file inclusion combo question |
|
Posted: Tue Mar 22, 2005 1:17 pm |
|
|
D3ADLiN3 |
Regular user |
|
|
Joined: Nov 21, 2004 |
Posts: 6 |
|
|
|
|
|
|
|
ok, I will try and explain this the best I can:
from what I understand, xss is the ability to inject your own code (in most cases java) into a target webpage and then get your victim to visit your desired link to get the code to execute?
Why does it have to be java? For example:
If you could inject php code into the page (by encoding it etc to to avoid magic_quotes and urldecode altering) surely you could get the remote machine (the server) to activate the code instead?
Surely you apply the same concept to html inclusion to? Rather than injecting html into a page, couldnt you inject php to do 'nasty' server side stuff? |
|
|
|
|
|
|
|
|
Posted: Wed Mar 23, 2005 11:43 am |
|
|
shai-tan |
Valuable expert |
|
|
Joined: Feb 22, 2005 |
Posts: 477 |
|
|
|
|
|
|
|
Youll have to ask Waraxe when he comes back from the dead or LINUX might have a good idea. XSS isnt my cake.......... yet |
|
_________________ Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
Re: xss/html inclusion/remote file inclusion combo question |
|
Posted: Wed Mar 23, 2005 3:17 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
D3ADLiN3 wrote: | ok, I will try and explain this the best I can:
from what I understand, xss is the ability to inject your own code (in most cases java) into a target webpage and then get your victim to visit your desired link to get the code to execute?
Why does it have to be java? For example:
If you could inject php code into the page (by encoding it etc to to avoid magic_quotes and urldecode altering) surely you could get the remote machine (the server) to activate the code instead?
Surely you apply the same concept to html inclusion to? Rather than injecting html into a page, couldnt you inject php to do 'nasty' server side stuff? |
not java , but javascript or html
html not a server side , its executes on clients
cMIIW |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|