Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
Igor Samokhin2014-09-05 09:58:51
PHP
Igor Samokhin, 2014-09-05 09:58:51

Can a site be hacked via $_SERVER['REQUEST_URI'] ?

Good afternoon!
I thought about this question. If the form says action="$_SERVER['REQUEST_URI']" or where in the href attribute of the tag , is it possible somehow to inject xss or...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
H
HangGlider, 2014-09-05
@grigor007

It is possible if the data is not filtered.
The form

<form action="<?=$_SERVER['REQUEST_URI']?>">
...
</form>

when requested: host.com/form/%22%3E%3Cscript%3Ealert( 'xss')%3C/script%3E%3Cbr%20class=%22demo
will become:
<form action="http://host.com/form/"><script>alert('xss')</script><br class="demo">
...
</form>

Report
M
Maxim Grechushnikov, 2014-09-05
@maxyc_webber

in the form you can not specify at all, but leave the attribute empty. but the main thing is to be

Similar questions
N
nickostyle2014-04-22 13:05:16
Is it possible to repost from social networks to the site? 9Reply
B
Boris Greinov2021-03-18 20:53:14
Synthesizing speech to a website but not Web Speech Api? 3Reply
S
StayAtHome2015-04-01 12:24:02
How to distinguish a web request from a regular page from a request from the extension itself from a Chrome/Opera extension? 4Reply
H
Healis2022-01-16 18:03:19
How to apply a gradient to an image so that the gradient does not go beyond the edges? 2Reply
A
Artem Melnykov2019-09-11 09:24:58
What to do if android sdk is not installed? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question