jquery - Executing javascript present in the value field of inputs - JavaScript -


i have form in html:

<form name="foo" action="http://localhost:3000/my_url" method="post">    <input type="text" name="username" value="alert('hello')" > </form>

i need javascript in value field input execute, through form's submit. reason page template don't control (can't have 

<script>    var input = document.getelementsbyname("username"); </script>

or other <script>tag added page. i'm trying prove that's possible attack take place on malformed <input> fields, specially using templates. how can have javascript execute on form submission? remember i'm not allowed modify page content except piece. since i'm doing post form, can set <input> field (and <input> field) whatever want. 

username=<script>alert('hello')<script> <input type="text" name="username" value="<script>alert('hello')<script>" >

or

username=window.onload = function() { alert('hello') } <input type="text" name="username" value="window.onload = function() { alert('hello') }" >

i have thought doing 

username=document.forms['myform'].onsubmit() = function() { alert('hello') } <input type="text" name="username" value="document.forms['myform'].onsubmit() = function() { alert('hello') }" >

all of valid. need javascript in tag execute. how can that? security flaw how the` tag can exploited if not sanitized. per @guest271314 "requirement include adding tag ..."

when use template engine render html content server sanitize , escape prevent passive injection of cross site scripts or xss short.

such attack can achieved on server not enforce mentioned security measures posting malformed content happily rendered later template engine.

for example form sends user input

<form name="foo" action="http://localhost:3000/my_url" method="post">    <input type="text" name="username" value="" > </form>

if user sends "><script>alert('foo')</script> , later display input in form

<form name="bar" action="http://localhost:3000/my_other_url" method="post">     <input type="text" name="username" value="@template_engine_render(posted_username_value)@" > </form>

the resulting output be

<form name="bar" action="http://localhost:3000/my_other_url" method="post">     <input type="text" name="username" value="">     <script>alert('foo')</script> </form>

because "> caracters close input tag , end executing arbitrary user javascript code in page.

this why "never trust user input" 1 of basic security rules of web.


Comments

Post a Comment

Popular posts from this blog

android - MPAndroidChart - How to add Annotations or images to the chart -

i working latest mpandroidchart library , looking way add annotations or images clickable. example: once data reaches value event occurs want able display user - there multiple events can occur annotations (not sure if right word) or image added @ point in chart. any pointers welcome. check documentation of yaxis . focus on setspacetop(...) , setaxismaxvalue(...) methods. for background: bar-shadow , disable calling: barchart.setdrawbarshadow(false) or change color: bardataset.setbarshadowcolor(int color)
Read more

javascript - Add class to another page attribute using URL id - Jquery -

i have attached id url. ex: when click link 1 , has #tab-2 id , takes me landing page. in landing page have find element has #tab-2 id have add class .active . i tried no luck. please 1 correct code. thanks js fiddle link html <div class="menu"> <ul> <li><a href="http://jsfiddle.net/gscyoa0j/1/#tab-2">link 1</a></li> <li><a href="http://jsfiddle.net/gscyoa0j/1/#tab-44">link 2</a></li> <li><a href="http://jsfiddle.net/gscyoa0j/1/#tab-74">link 3</a></li> </ul> </div> landing page <div class="tab"> <ul> <li><a id="tab-2" class="active" >link 1 content</a></li> <li><a id="tab-44" >link 2 content</a></li> <li><a id="tab-74" >link 3 content</a></l
Read more

firefox - Where is 'webgl.osmesalib' parameter? -

i'm trying webgl running on firefox (v37.0.2) via software acceleration mesa. tried following steps have been stated in article: http://www.binarytides.com/enable-webgl-firefox-ubuntu/ however, unable find parameter named ' webgl.osmesalib ' in about:config section? has been removed (or renamed)? if yes, how should instruct firefox use mesa's software acceleration webgl? looks support osmesa removed in favour llvmpipe.
Read more