December 20th, 2013, 07:46 AM
Is this form secure for XSS
Just wondering if the email field in this page is vulnrable to XSS or not.
December 20th, 2013, 08:05 AM
No, those two fields aren't vulnerable to XSS. But that's not the problem here.
Never send the password back. All your protection doesn't help much when the plaintext passwords travel around the globe.
The next major issue is that you're not using TLS and don't even offer it as an option (you're running around with an invalid certificate).
// Yeah, and it might be a good idea to turn off the error messages and not test your code online. I'm getting all kinds of funny PHP notices.
Last edited by Jacques1; December 20th, 2013 at 08:08 AM.
December 20th, 2013, 08:11 AM
Ok, I appreciate the tip on password.
Originally Posted by Jacques1
Is it gonna fix the issue if I run the site under SSL?
December 20th, 2013, 08:21 AM
The webserver does support TLS, but it offers an invalid certificate for a different domain (*.qnetau.com). You need a proper certificate for this domain.
Originally Posted by English Breakfast Tea
Afterwards, either use TLS on your whole site. Or at least use it on the login page. That is, always link to https://manage.atless.com.au/log_in. And also redirect all HTTP requests to the HTTPS URL.