| Author |
trying to understand security concept
|
Hendra Kurniawan
Ranch Hand
Joined: Jan 31, 2011
Posts: 239
|
|
Right now I'm reading an article in the crossite section, and I'm having difficulty understanding it.
I tried this:
what should I put in the text area to simulate crossite attack? I tried everything, but nothing happened. Does this mean this code is immune to crossite already? suppose I'm not using jqery, what should be in assault() function to enable crossite? just a simple code, so I can what crossite really is. thanks
|
 |
Eric Pascarello
author
Rancher
Joined: Nov 08, 2001
Posts: 15357
|
|
Put <script>alert("hi");</script> into the textarea.
Eric
|
|
Hendra Kurniawan
Ranch Hand
Joined: Jan 31, 2011
Posts: 239
|
|
Sorry for the late reply. Tried that, nothing happened. I'm using PHP by the way, is that a problem? but in the php file, there's only the html code above, no php secific code whatsoever.
http://jsfiddle.net/mdxmK/
|
|
Eric Pascarello
author
Rancher
Joined: Nov 08, 2001
Posts: 15357
|
|
|
The fiddle is set up wrong, change the js to run in the head not Dom ready.
|
|
Hendra Kurniawan
Ranch Hand
Joined: Jan 31, 2011
Posts: 239
|
|
so, that means in order the attack to be successful, the attacker depends on me putting the assault method on the head? but, doesn't matter how many times I run the html code shown in my first post, the attack won't get through, what's wrong in my code in the first post? thanks
Is it because I'm accessing the html file via apache server? if I access it via filesystem, the attack was successful.
|
|
Eric Pascarello
author
Rancher
Joined: Nov 08, 2001
Posts: 15357
|
|
No the problem with the fiddle is you had is that function is in another scope [not global] so clicking on the button produced an error. Your first code ran fine http://jsfiddle.net/MBtqm/
Eric
|
|
Hendra Kurniawan
Ranch Hand
Joined: Jan 31, 2011
Posts: 239
|
|
|
yes, I'm not talking about fiddle. I'm talking about why it doesn't do that when I access the page via url to my own web server. does apache have built-in filter?
|
|
Eric Pascarello
author
Rancher
Joined: Nov 08, 2001
Posts: 15357
|
|
Apache has nothing to do with that JavaScript not running. Did you include jQuery correctly? Look at the fiddle I created, it runs fine and it is almost like the original code you put in the original post.
Eric
|
|
Hendra Kurniawan
Ranch Hand
Joined: Jan 31, 2011
Posts: 239
|
|
|
I'm pretty sure everything is in place. When I typed "abcdef" in the text area, abcdef is printed under the text area. but when it's <script>alert("hi");</script>, nothing happened.
|
|
Eric Pascarello
author
Rancher
Joined: Nov 08, 2001
Posts: 15357
|
|
|
What browser?
|
|
Hendra Kurniawan
Ranch Hand
Joined: Jan 31, 2011
Posts: 239
|
|
|
My browser is mozilla 8.0.1. thanks
|
|
Eric Pascarello
author
Rancher
Joined: Nov 08, 2001
Posts: 15357
|
|
Mozilla 8? You mean Firefox? Do you know it is up to 15 now?
Eric
|
|
 |
|
|
subject: trying to understand security concept
|
|
|
0
