This can be exploited to redirect users to a malicious location, or execute arbitrary SQL statements if injected into a logged-in user’s account. A possible attack scenario for stock management sytem v1.0 would be visiting a user’s profile page, and subsequently injecting URLS into the Id parameter. For example, in a logged-in user’s profile, a malicious user could type: “/profiles/username/edit”, where “/profiles/” and “/edit” are URLS that can redirect to other webpages. The Id parameter is now the most popular target for SQL injection attacks. End users are often unaware of the dangers of injecting URLS into the Id parameter, because they are likely to be logged into their own website.
Vulnerability type
: Cross site scripting
Cross site scripting (XSS) is a type of computer security vulnerability that occurs when data is injected into an application, usually via a web browser, with the intent of manipulating content, performing an unauthorized action on behalf of the user or simply viewing the victim’s information.
This vulnerability allows attackers to enter client-side scripts which can be used to steal data from a vulnerable website. The most common technique for XSS attacks is to use JavaScript to create a hidden iframe in order to inject malicious code into a target website’s frame within the context of the attacked website.
User input can also be targeted by XSS vulnerabilities. When this happens, any character typed in by a user will be echoed back with special characters instead of appearing as normal text. This may allow attackers to steal passwords and other sensitive information from users who are logged into websites that have been compromised.
Timeline
Published on: 08/28/2022 23:15:00 UTC
Last modified on: 09/01/2022 13:22:00 UTC