Archive for the ‘XSS’ Category
Pixy: XSS and SQLI Scanner for PHP Programs
Filed under: Information, PHP, XSS, sql, tools | Tags: Information, Injection, PHP, scanner, security, sql, sqli, sqlinjection, tools, XSS
Leave a Comment Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.
There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.
Cheating with obfuscation
Filed under: Injection, PHP, XSS | Tags: hex, hexcode, Injection, logfile, PHP, security, urldecode, XSS
Leave a Comment Sometimes I find strange lines in my webservers log, like this one:
“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1″
Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.
The danger of PHP_SELF
Filed under: PHP, XSS | Tags: cross site scripting, PHP, php_self, register_globals, security, XSS
Leave a Comment The $_SERVER['PHP_SELF'] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.
Here you see a normal login form with the form container above.
