Archive for the 'XSS' Category
become a hacker with webgoat
WebGoat is a insecure web application which is designed to teach web application security concepts.
You can try hacking: Access Control Flaws, Authentication Flaws, Session Management Flaws, Cross-Site Scripting (XSS), Buffer Overflows, Injection Flaws, Improper Error Handling, Insecure Storage, Denial of Service, Insecure Configuration, Web Services and AJAX Security.
There is a “Lesson Plan” a kind of tutorial and in the “Hints Menu” you can view the parameters, cookies, the Code and the solution.
It’s a lot of fun and you learn more about web application security.
Pixy: XSS and SQLI Scanner for PHP Programs
Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.
There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.
Cheating with obfuscation
Sometimes I find strange lines in my webservers log, like this one:
“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1″
Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.
The danger of PHP_SELF
The $_SERVER['PHP_SELF'] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.
Here you see a normal login form with the form container above.
Comments(0)
Comments(0)
Comments(0)