#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    2
    Rep Power
    0

    Using script lines for hacking.


    My friend's website contains cgi code that displays whatever is in a certain part of the url on the page no matter what. I told him that someone could cause harm to his site if they just use things like <script>alert()</script> for example and execute scripts from his site. I don't know much about the subject, but I do know that. He doesn't beleive me and asked if I could show him some examples of these scripts that could mess with his website, but like I said, I don't know much about it.

    Can anyone help me? Does anyone mind supplying me with some working example of a <script> thing that could cause harm to someone's website if they are doing what my friend is?

    Thanks a bunch. I really don't what anyone to be able to hack his website because I moderate on forums on his site and have a good time there. Hopefully this will convince him to change it or something.
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    9
    Rep Power
    0
    Sorry mate, But i dont think your gonna gonna get much of a response on that one. Whos to know that you dont want to know these examples to do illegal things to peoples websites?

    I'm not saying you are, but its a 50/50 chance really and most people are just going to assume that, this is your intentiion
  4. #3
  5. No Profile Picture
    Average Intelligence
    Devshed Novice (500 - 999 posts)

    Join Date
    Apr 2003
    Location
    Ohio/Chicago
    Posts
    678
    Rep Power
    12
    Huh? What's going on? what?

    My friend's website contains cgi code that displays whatever is in a certain part of the url on the page no matter what. I told him that someone could cause harm to his site if they just use things like <script>alert()</script> for example and execute scripts from his site
    can someone explain to me what this mean? I'm totally lost.....
    A) what is this cgi code doing on his site, it's grabbing what from the url? as in grabbing variables from a POST, what?
    B) how does this leave him vulnerable? How are Iusers able to add script tags to this site?
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    Short explanation:
    - no harm can be done to the web site / server
    - your friend can use this without a problem if he escapes the html correctly
    - if he does not, one could do harm only to other users

    unatratnag:
    A) sounds basically like a cgi script that echos its input back to the browser
    B) he is only vulnerable to being misused for tricking other people. (enough to get into trouble though...)

    JBobby:
    You probably won´t get a script like that here even though many people could write it within minutes. Too much potential for mis-use. Not saying that you would, but this is a international public forum...
  8. #5
  9. 11
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jul 2001
    Location
    Lynn, MA
    Posts
    4,635
    Rep Power
    82
    This is what's known as a cross-site scripting vulnerability, and has been used countless times to crack sites even as large as hotmail. Google for it and you'll see it all over the place.

    Your friend should 'defang' the HTML by escaping it, this is web security 101 here.
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2003
    Posts
    2
    Rep Power
    0
    Thanks guys. I agree that it wouldn't be a good idea to show a real hacking script on a message board. I'll try to find out more information about what you are suggesting, Hero Zzyzzx. Thanks again.

IMN logo majestic logo threadwatch logo seochat tools logo