Hello,
To demonstrate XSS attack, I am building a web app which does the following:
1. Works like a forum
2. Takes posts from users via a HTML textarea and store these messages in the mysql db
3. Displays all posts from the users on a thread. The objective is to show an XSS attack such as
due to insufficient filtering of the input.
I am using a MySql db with Apache and PHP.
On entering the following input into the textarea:
The data is just not being added to the DB and the $_POST method in the page which stores the posts into the database is returning an empty string. However, all other cases are working. I have so far not used any special functions used for input filtering in PHP, as this is an app to demonstrate XSS.
However, on manually adding the above script into the DB, the expected alert box pops up.
Anyone knows what's going on?
To demonstrate XSS attack, I am building a web app which does the following:
1. Works like a forum
2. Takes posts from users via a HTML textarea and store these messages in the mysql db
3. Displays all posts from the users on a thread. The objective is to show an XSS attack such as
Code:
alert("attack");
I am using a MySql db with Apache and PHP.
On entering the following input into the textarea:
Code:
<script>alert("attack");</script>
However, on manually adding the above script into the DB, the expected alert box pops up.
Anyone knows what's going on?
Comment