• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

trying to understand security concept

 
Hendra Kurniawan
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Right now I'm reading an article in the crossite section, and I'm having difficulty understanding it.
I tried this:



what should I put in the text area to simulate crossite attack? I tried everything, but nothing happened. Does this mean this code is immune to crossite already? suppose I'm not using jqery, what should be in assault() function to enable crossite? just a simple code, so I can what crossite really is. thanks
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Put <script>alert("hi");</script> into the textarea.

Eric
 
Hendra Kurniawan
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry for the late reply. Tried that, nothing happened. I'm using PHP by the way, is that a problem? but in the php file, there's only the html code above, no php secific code whatsoever.
http://jsfiddle.net/mdxmK/
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The fiddle is set up wrong, change the js to run in the head not Dom ready.
 
Hendra Kurniawan
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so, that means in order the attack to be successful, the attacker depends on me putting the assault method on the head? but, doesn't matter how many times I run the html code shown in my first post, the attack won't get through, what's wrong in my code in the first post? thanks
Is it because I'm accessing the html file via apache server? if I access it via filesystem, the attack was successful.
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No the problem with the fiddle is you had is that function is in another scope [not global] so clicking on the button produced an error. Your first code ran fine http://jsfiddle.net/MBtqm/



Eric
 
Hendra Kurniawan
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
yes, I'm not talking about fiddle. I'm talking about why it doesn't do that when I access the page via url to my own web server. does apache have built-in filter?
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Apache has nothing to do with that JavaScript not running. Did you include jQuery correctly? Look at the fiddle I created, it runs fine and it is almost like the original code you put in the original post.

Eric

 
Hendra Kurniawan
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm pretty sure everything is in place. When I typed "abcdef" in the text area, abcdef is printed under the text area. but when it's <script>alert("hi");</script>, nothing happened.
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What browser?
 
Hendra Kurniawan
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My browser is mozilla 8.0.1. thanks
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mozilla 8? You mean Firefox? Do you know it is up to 15 now?

Eric
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic