Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Igor Samokhin2014-09-05 09:58:51
PHP
Igor Samokhin, 2014-09-05 09:58:51

Can a site be hacked via $_SERVER['REQUEST_URI'] ?

Good afternoon!
I thought about this question. If the form says action="$_SERVER['REQUEST_URI']" or where in the href attribute of the tag , is it possible somehow to inject xss or...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
H
HangGlider, 2014-09-05
@grigor007

It is possible if the data is not filtered.
The form

<form action="<?=$_SERVER['REQUEST_URI']?>">
...
</form>

when requested: host.com/form/%22%3E%3Cscript%3Ealert( 'xss')%3C/script%3E%3Cbr%20class=%22demo
will become:
<form action="http://host.com/form/"><script>alert('xss')</script><br class="demo">
...
</form>

Report
M
Maxim Grechushnikov, 2014-09-05
@maxyc_webber

in the form you can not specify at all, but leave the attribute empty. but the main thing is to be

Similar questions
E
Evgeny Samsonov2015-04-05 17:45:37
What is the name of the USB device? 3Reply
S
sergeybogevolny2015-04-06 21:36:50
Is there an example of interaction between bootstrap wizard form and php? 2Reply
A
Astral1004982020-09-25 14:08:44
How to clear a tab from a line? 2Reply
T
thehighhomie2018-11-30 12:28:13
Plugin to generate PDF from JavaScript? 4Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question