Archive for the ‘XSS’ Tag

Pixy: XSS and SQLI Scanner for PHP Programs

Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.

http://pixybox.seclab.tuwien.ac.at/pixy/webinterface.php

Advertisements

Cheating with obfuscation

Sometimes I find strange lines in my webservers log, like this one:

“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1”

Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.

Continue reading

The danger of PHP_SELF

The $_SERVER[‘PHP_SELF’] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.

<form action=”<? echo $_SERVER[‘PHP_SELF’]; ?>” method=”POST”>

Here you see a normal login form with the form container above.

Continue reading