If you can find an HTTP response in some web application that replies
with the exact input of some previous HTTP request, including angle brackets, rounded
brackets, periods, equal signs, and so on, then you have found an HTML injection that
Chapter 2: Cross-Site Scripting 33
can most likely be used for XSS on that web application and domain. This section attempts
to document most HTML injection methods, but it is not complete. Nevertheless, these
techniques will probably work on most small to medium-sized web sites. With some
perseverance, you may be able to use one of these techniques successfully on a major
web site, too.
Classic Re?¬‚ ected and Stored HTML Injection
The classic XSS attack is a reflected HTML injection attack whereby a web application
accepts user input in an HTTP request. The web application responds with the identical
user input within the body of the HTTP response. If the server??™s response is identical to
the user??™s initial input, then the user input may be interpreted as valid HTML, VBScript,
or JavaScript by the browser.
Consider the following PHP server code:
if (isset($_GET{'UserInput'})){
$out = 'your input was: "' .
Pages:
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106