June 12th, 2003, 05:28 AM
Using script lines for hacking.
My friend's website contains cgi code that displays whatever is in a certain part of the url on the page no matter what. I told him that someone could cause harm to his site if they just use things like <script>alert()</script> for example and execute scripts from his site. I don't know much about the subject, but I do know that. He doesn't beleive me and asked if I could show him some examples of these scripts that could mess with his website, but like I said, I don't know much about it.
Can anyone help me? Does anyone mind supplying me with some working example of a <script> thing that could cause harm to someone's website if they are doing what my friend is?
Thanks a bunch. I really don't what anyone to be able to hack his website because I moderate on forums on his site and have a good time there. Hopefully this will convince him to change it or something.
June 15th, 2003, 07:17 AM
Sorry mate, But i dont think your gonna gonna get much of a response on that one. Whos to know that you dont want to know these examples to do illegal things to peoples websites?
I'm not saying you are, but its a 50/50 chance really and most people are just going to assume that, this is your intentiion
July 10th, 2003, 10:12 PM
Huh? What's going on? what?
can someone explain to me what this mean? I'm totally lost.....
A) what is this cgi code doing on his site, it's grabbing what from the url? as in grabbing variables from a POST, what?
B) how does this leave him vulnerable? How are Iusers able to add script tags to this site?
July 11th, 2003, 11:43 AM
- no harm can be done to the web site / server
- your friend can use this without a problem if he escapes the html correctly
- if he does not, one could do harm only to other users
A) sounds basically like a cgi script that echos its input back to the browser
B) he is only vulnerable to being misused for tricking other people. (enough to get into trouble though...)
You probably won´t get a script like that here even though many people could write it within minutes. Too much potential for mis-use. Not saying that you would, but this is a international public forum...
July 17th, 2003, 02:56 PM
This is what's known as a cross-site scripting vulnerability, and has been used countless times to crack sites even as large as hotmail. Google for it and you'll see it all over the place.
Your friend should 'defang' the HTML by escaping it, this is web security 101 here.
July 19th, 2003, 04:48 AM
Thanks guys. I agree that it wouldn't be a good idea to show a real hacking script on a message board. I'll try to find out more information about what you are suggesting, Hero Zzyzzx. Thanks again.