*
The moose likes HTML, CSS and JavaScript and the fly likes trying to understand security concept Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "trying to understand security concept" Watch "trying to understand security concept" New topic
Author

trying to understand security concept

Hendra Kurniawan
Ranch Hand

Joined: Jan 31, 2011
Posts: 239
Right now I'm reading an article in the crossite section, and I'm having difficulty understanding it.
I tried this:



what should I put in the text area to simulate crossite attack? I tried everything, but nothing happened. Does this mean this code is immune to crossite already? suppose I'm not using jqery, what should be in assault() function to enable crossite? just a simple code, so I can what crossite really is. thanks
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Put <script>alert("hi");</script> into the textarea.

Eric
Hendra Kurniawan
Ranch Hand

Joined: Jan 31, 2011
Posts: 239
Sorry for the late reply. Tried that, nothing happened. I'm using PHP by the way, is that a problem? but in the php file, there's only the html code above, no php secific code whatsoever.
http://jsfiddle.net/mdxmK/
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
The fiddle is set up wrong, change the js to run in the head not Dom ready.
Hendra Kurniawan
Ranch Hand

Joined: Jan 31, 2011
Posts: 239
so, that means in order the attack to be successful, the attacker depends on me putting the assault method on the head? but, doesn't matter how many times I run the html code shown in my first post, the attack won't get through, what's wrong in my code in the first post? thanks
Is it because I'm accessing the html file via apache server? if I access it via filesystem, the attack was successful.
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
No the problem with the fiddle is you had is that function is in another scope [not global] so clicking on the button produced an error. Your first code ran fine http://jsfiddle.net/MBtqm/



Eric
Hendra Kurniawan
Ranch Hand

Joined: Jan 31, 2011
Posts: 239
yes, I'm not talking about fiddle. I'm talking about why it doesn't do that when I access the page via url to my own web server. does apache have built-in filter?
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Apache has nothing to do with that JavaScript not running. Did you include jQuery correctly? Look at the fiddle I created, it runs fine and it is almost like the original code you put in the original post.

Eric

Hendra Kurniawan
Ranch Hand

Joined: Jan 31, 2011
Posts: 239
I'm pretty sure everything is in place. When I typed "abcdef" in the text area, abcdef is printed under the text area. but when it's <script>alert("hi");</script>, nothing happened.
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
What browser?
Hendra Kurniawan
Ranch Hand

Joined: Jan 31, 2011
Posts: 239
My browser is mozilla 8.0.1. thanks
Eric Pascarello
author
Rancher

Joined: Nov 08, 2001
Posts: 15376
    
    6
Mozilla 8? You mean Firefox? Do you know it is up to 15 now?

Eric
 
jQuery in Action, 2nd edition
 
subject: trying to understand security concept