Answer the question
In order to leave comments, you need to log in
S
S
sorry_i_noob2018-09-08 11:26:48
sorry_i_noob, 2018-09-08 11:26:48
Do I need to protect against XSS that is inserted in a GET request (I tried writing an alert(1) value to the page, but nothing happened)?
Hello. I read on the internet that...
For example, this type of pagehttp://yourdomain.ru/catalog?p=3could be a big hole in the site's security.
Similar to the actions done earlier in the input field, try to substitute the above lines of code into the parameter.http://yourdomain.ru/catalog?p="><script>alert("cookie: "+document.cookie)
It is likely that you will receive the message again.
I tried to do it on my site, but I didn't get any message. And so, is it necessary to somehow handle GET parameters to protect against XSS or not?
2 answer(s)
@kttotto
@OnYourLips
E
eRKa, 2018-09-08 @kttotto
You need to protect yourself if the value of this parameter will be inserted as it is in the html markup, your alert will work there. If it does not get into the markup, then it will not work. But there is no guarantee that during the development process someone will forget to sanitize your parameter, so you need to think about it at the moment when you receive data from the form or display parameters from the url.
O
OnYourLips, 2018-09-08 @OnYourLips
You need to protect yourself at the WAF installation level (modules for nginx, for example). And this is necessary for units of a percentage of projects for certification.
And at the application level, it is enough to work correctly with the data.
Similar questions
I
N
Nikolai Antonov2015-06-08 01:08:29
Is the xss me plugin the best option for testing xss attacks?
1Reply
K
T
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question