0

I just need to know if its possible and how. I had an incident once on a message board I frequented where someone's signature displayed info about my PC and internet connection to me rather than an actual artsy-fartsy signature. I'm not new to this, I saw that type of thing appear roughly a decade ago but circumstances regarding this person's actions are worrisome. I'm talking about what* else* did that particular signature execute? Did that sig send info back to that person's computer about my computer? I know this sounds paranoid...

3
Contributors
5
Replies
15
Views
2 Years
Discussion Span
Last Post by diafol
0

Yes, it's possible. If not handled properly many input text accept the <script> tag.
Then that JS is saved on the DB and when the signature is displayed the javascript could be executed also(again, if not properly handled by the developer).

This is called XSS (Cross Site Scripting).

A simple example:

<div>
<h2>My Signature Yeah!</h2>
<script type="text/javascript">
alert('My script was saved on the DB and now it'll be executed every time my signature is displayed');
</script>
</div>
0

What are the limitations of this? I mean in the example I provided about a persons signature displaying computer and connection info, could it have recorded those particular details and sent them to that person if they had coded something like that?

One more question, and I promise its related: I know IP addresses change but do they always indicate your home address?

0

Imagine anything you can do with JS running on your page for everybody to see. Maybe even a redirect to a porn site :(

0

Unless you grant unfettered access to your IP data, then it's difficult to see how.
However, XSS attacks can change the content of the page, e.g. overwrite your internal links to an identical-looking scam site, they can pick up any cookies or session tokens for your site.

You seem to have a Type 1 / persistent / stored XSS.

The limits you speak of are probably down to your server-side vulnerabilities. Do not trust any user input or request without validation or sanitization.

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Edited by diafol

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.