XSS Tutorial Package

by MaXe from InterN0T.org

Prev - Next

Intermediate - Part 4

Hint: Think alternatively! (eventhandlers again?)
(look in the HTML source for clues..)

Input a URL of a site you want to see:

Click here to see the affected PHP source code below.
$input = isset($_GET['site']) ? $_GET['site'] : NULL;
$regex = "/script|data|text/i"; // A case-insensitive array.
$antihacker = preg_match($regex,$input); // Returns true if any of the strings in $regex is found.

if($input!=NULL && $antihacker==FALSE) {
echo "The site you wanted to see is: <br />
<iframe src='". htmlentities($input) ."' width='640' height='480' ></iframe>
} else if($input!=NULL && $antihacker==TRUE) {
echo "Don't try to use words like: script, data or text!";
} else {
echo "Input a URL of a site you want to see: <br />
<form action='?' method='GET'>
<input type='text' name='site' />
<input type='submit' value='Submit!' />