Is there any situation where an XSS attack can be performed via the PHP $_SERVER['REQUEST_URI'] variable? For those unfamiliar with it: It contains the complete URL used to access that website, without the domain name, and with some special characters encoded.
For example, take this piece of code. We already have a <, and are not even using ":
echo '<form action=' . $_SERVER['REQUEST_URI'] . ' method="post"></form>';
If I visit localhost/myscript.php?foo onhover=alert(1) the result is:
<form action=/myscript.php?foo%20onhover=alert(1) method="post">
- Is there any way to inject a space? I tried
+and similar characters, but it did not work. - If there is a way, would it also be possible if quotes were used around the action?
- If it is not possible, can you think of any scenario where
$_SERVER['REQUEST_URI']could be used to perform an XSS attack? Or any other attack for that matter?
Aucun commentaire:
Enregistrer un commentaire