Cross-Site Scripting
Detected by Syhunt: Yes (Dynamic, Code)
Type: Injection Flaw
Also Known As: XSS, CSS
CWE: 79
Many web sites contain flaws that allow remote cross-site scripting attacks (also known as XSS or CSS). XSS flaws exist because applications fail to validate input upon submission. A XSS flaw can allow attackers to create specially crafted URLs that can execute arbitrary code in a user's browser within the trust relationship between the browser and server, leading to loss of integrity.
Below you can find very basic examples of XSS vulnerabilities.
<? echo($_GET['name']); // XSS 1 echo($_POST['name']); // XSS 2 echo($_REQUEST['name']); // XSS 3 ?>
Syhunt scan results for this example code:
Found: 3 vulnerabilities In /xss_basic.php (source code, locally), on line 2: Possible XSS Vulnerability In /xss_basic.php (source code, locally), on line 3: Possible XSS Vulnerability In /xss_basic.php (source code, locally), on line 4: Possible XSS Vulnerability
See: Vulnerable PHP Code for more examples
<% Response.Write(Request.Form["name"]); Response.Write(Request.QueryString["name"]); %>
Syhunt scan results for this example code:
Found: 3 vulnerabilities In /xss.aspx (source code, locally), on line 2: Possible XSS Vulnerability In /xss.aspx (source code, locally), on line 3: Possible XSS Vulnerability
<%@ Page Language="C#"%> <script runat="server"> void SubmitBtn _Click(object sender, EventArgs e) { Response.Write(InputText.Text); } </script> <html> <body> <form id="form1" runat="server"> <asp:TextBox ID="InputText" Runat="server" TextMode="MultiLine" Width="300px" Height="150px"> </asp:TextBox> <asp:Button ID="SubmitBtn" Runat="server" Text="Submit" OnClick="SubmitBtn _Click"/> </form> </body> </html>
Syhunt scan results for this example code:
Found: 1 vulnerability In /xss_runatsrv.aspx (source code, locally), on line 4: Possible XSS Vulnerability
<%@ page import="java.util.*,java.io.*"%> <% out.println(request.getParameter("name")); %>
<?lua cgilua.put(cgilua.QUERY.name) cgilua.put(cgilua.POST.name) ?>
cgilua.htmlheader() cgilua.put(cgilua.QUERY.name) cgilua.put(cgilua.POST.name)