Is this considered a vulnerability and is it possible to carry the attack and hack the site?

M

Mokhirjon Naimov2015-05-13 06:34:59

PHP

Mokhirjon Naimov, 2015-05-13 06:34:59

There is a field in the site search form:

<input type="text" id="input_id" name="val" value="">

If you write something like this in this field: "placeholder="crack
Then this field after the request will look like this:

<input type="text" id="input_id" name="val" value="" placeholder="crack">

Is this considered a vulnerability and is it possible to carry the attack and hack the site?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

sim3x, 2015-05-13
@zvermafia

<input type="text" id="input_id" name="val" placeholder="crack_start">
<script>
console.log('Knock-knock')
alert('u h4z b33n cr4ck3d')
<"crack_end">

https://www.owasp.org/index.php/Cross-site_Scripti...

F

Faha1998, 2015-05-13
@Faha1998

Can you explain to me how to break the site through placeholder?: D, because in fact it does not give anything

J

John Freeman, 2015-05-14
@AsviS

You won't be able to break the site through placeholder!
and whatever XSS is, just filter the variables at least by the minimum
strip_tags - removes html tags.
htmlspecialchars - converts special. characters in the html entity.
This is how you protect yourself from XSS attacks, in addition to SQL injection.
If you need html tags, but only for displaying the source code, then it is enough to use:

$input_text = htmlspecialchars($_GET['input_text']);
$input_text = mysql_escape_string($input_text);