Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Say I have a web application that accepts a parameter called “content”. Whatever is present in this parameter will be output as a part of the HTML response.
Example JSP code:
<%= request.getParameter("content") %>
I know this is silly and it should be sanitized and so on, but my question is if an attacker can actually take advantage of this? The way I understand it you’d only change the content sent to yourself, so the only one an attacker could hurt is himself? Correct?
Consider the following example:
Then the attacker creates a link somewhere, and makes it to looks like some important link to your site. There are -of course- several times as clever vectors as this example.