Non-Persistent XSS at SecretRecipe

# Date: 27 Nov 2013
# Author: Arif Fahmi Fisal
# Vendor
# Version: -
# Category: webapps
# Tested on: Window XP

*Cross Site Scripting:*

Non-Persistent XSS Attack

In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Let us understand this attack better with an example.
For example, the attacker can now try to change the “Target URL” of the link “Click to Download”. Instead of the link going to “” website, he can redirect it to go “” by crafting the URL as shown below:

Here's the code:

<form id="search-form" action="" method="get">
<input type="text" name="keyword" class="keyword" value="<a href="">click to download</a>" /><input type="submit" class="button search" value="Search" />
<div style="position:absolute; display:inline-block; width:120px; margin:0px; padding:3px;" class="fb-like" data-href="" data-send="false" data-layout="button_count" data-width="120" data-show-faces="false" data-action="recommend" data-font="tahoma"></div>

Url:<a href="">Click to Download</a>

And this preview images:

Now the victim may not know what it is, because directly he cannot understand that the URL is crafted and their is a more chance that he can visit the URL.
*27 Nov 2013 - Report to admin

Postingan terkait:

1 Tanggapan untuk "Non-Persistent XSS at SecretRecipe"