Skip to content

XSS (Cross Site Scripting)

Jump to bottom Edit New page
gerwitz edited this page Feb 7, 2012 · 1 revision

You can inject using a url (like Kyle's example) and also using a form post. Often PHP scripts are vulnerable because by default it doesn't sanitize HTML.

With more applications and devices using HTML, XSS techniques can sometimes be used in unexpected places. For example, in this jailbreaking hack of the Kindle Touch, Yifan Lu realized that much of the interface that ran the Kindle was written as HTML and Javascript. Further, the Javascript in the interface was run with special privileges--it was able to directly control the system. Lu's hack involved creating an MP3 file with an ID3 tag that contained HTML and Javascript. When you play this MP3 in the built-in media player--because Amazon didn't sanitize HTML in the ID3 tag--the string is interpreted as code and gets executed.

Add a custom footer
Add a custom sidebar
Clone this wiki locally