6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
28 lines
1.5 KiB
HTML
28 lines
1.5 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<title>Dangerous Use of Eval</title>
|
|
<link rel="stylesheet" type="text/css" href="lesson_solutions/formate.css">
|
|
</head>
|
|
<body>
|
|
<p><b>Lesson Plan Title:</b> Dangerous Use of Eval)</p>
|
|
|
|
<p><b>Concept / Topic To Teach:</b><br/>
|
|
It is always a good practice to validate all input on the server side. XSS can occur when unvalidated user input is reflected directly into an HTTP response. In this lesson, unvalidated user-supplied data is used in conjunction with a Javascript eval() call. In a reflected XSS attack, an attacker can craft a URL with the attack script and store it on another website, email it, or otherwise trick a victim into clicking on it.
|
|
</p>
|
|
|
|
<p><b>General Goal(s):</b><br/>
|
|
For this exercise, your mission is to come up with some input which, when run through eval, will execute a malicious script. In order to pass this lesson, you must 'alert()' document.cookie.
|
|
</p>
|
|
|
|
<b>Solution:</b><br/>
|
|
The value of the digit access code field is placed in the Javascript eval() function. This is the reason why your attack will not require the "<script>" tags.<br/>
|
|
Enter: 123');alert(document.cookie);('<br/><br/>
|
|
The result on the server is:<br/><br/>
|
|
eval('<font color="#ff0000">123');<br/>
|
|
alert(document.cookie);<br/>
|
|
('</font>');
|
|
<br><br><br>
|
|
</body>
|
|
</html> |