May 7th, 2003, 02:17 PM
First of all, don't confuse with this onClick stuff, it has nothing to do with <script>.
that works in this:
so i don`t wanna use <script> stuff, i need to know how to move someone's location using the above method, i`d guess it'd be somethign like:
but it isn't.
May 7th, 2003, 02:25 PM
And why would you be trying to do that? Are you trying to avoid someone's filtering of <script> ?
You probably want something like window.open..but I am hesitant to say anything more without you saying why you are wanting to avoid the <script> and what you are trying to accomplish...
A good reference for many things: http://devedge.netscape.com/
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
May 7th, 2003, 02:51 PM
May 7th, 2003, 03:15 PM
He probably used XSS (Cross Site Scripting) to exploit your pages.
Go to http://www.cgisecurity.com/articles/xss-faq.shtml and learn what it is and how to prevent it.
Experience is something you don't get until just after you need it.
May 7th, 2003, 03:19 PM
Yeah I know it's XSS, hence the JS.
I've been going to that site for a while, the admin knows his stuff about web security, he`s a friend of a friend.
May 22nd, 2003, 08:35 AM
May 25th, 2003, 03:56 PM
I've heard a lot of XSS and its kind a weird coz i thought its css. It's gaining popularity among hackers for creating holes in government and commercial establishments.
May 25th, 2003, 07:25 PM
thats because XSS is a very easy way to manipulate pages, either changing them, or accessing data you arnt supposted too.
The Hack Back Revolution
May 25th, 2003, 11:13 PM
I think so far most of have underestimated how hard it is to acctually expliot a XSS. and gain some information from another user.
Yes it is easy to prove that an XSS does exist "<script>alert('hello')</script>" will prove that. However it is much more complex to actully put a xss vulnerability to work. The main problem faced is how once you extracted the information you require (lets say a cookie), is how the attacker passes the informaton on to themselfs so they can read it.
Even if they manage to get the information, there is still the code on the site with the XSS linking back to them, so it is very hard and complex to get away with.
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
May 26th, 2003, 04:46 AM
Well, it's relatively easy to steal a session id from a cookie and have it sent to a netcat listner (for example) with an document.location redirect with the session id as parameter... The netcat listener ca be on a compromised "third party" and forward the info without any log of it...
Of course, this would be on a site *completely* vulnerable to XSS, without any input filtering at all... Having even only *some* filtering can make such attacks much more difficult...
Credit travels up, blame travels down -- The Boss