Swfupload movie name cross site scripting vulnerability lỗi năm 2024

Cross-site scripting (XSS) is a type of attack that can be carried out to compromise users of a website. The exploitation of a XSS flaw enables attackers to inject client-side scripts into web pages viewed by users. Listed as one of the OWASP Top 10 vulnerabilities, XSS is the most common vulnerability submitted on the Detectify Crowdsource platform therefore a security risk our tool continually checks for.

Cross-site scripting: What can happen?

The attacker may:

• gain access to users cookies, session IDs, passwords, private messages, etc
• read and access the content of a page for any attacked user and therefore all the information displayed to the user
• compromise the content shown to the user

A notable XSS attack was the Tweetdeck XSS worm published in 2014. It allowed the attacker to spread his malicious payload to all Tweetdeck users via Twitter, hence causing a mass compromise of Twitter accounts.

XSS Proof-of-Concept video:

Example of Cross-site scripting (XSS)

To show how the vulnerability works, let’s look at an example. Say you have a search box on your site. If there is no result, the site should say “Could not find any pages when searching for [what the user searched for].”.

Doing this in PHP it might look something like this:

// Code for performing the actual search } else {

echo "Could not find any pages when searching for ".$_GET['query'];

This would, in other words, output the user supplied data (the search query) straight into the HTML document. If the search query contains HTML, the user’s web browser will render it. Imagine an attacker sends a link like the following to a victim:

http://example.com/search.php?query=