2

The original example can be found here:

Summary

A form element:

<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">

A piece of malicious code typed into the browser address bar by someone: http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E

The example states that the form element will be converted to the following:

<form method="post" action="test_form.php/"><script>alert('hacked')</script>

While I get the idea, I don't understand why

  1. This even works when the web address is nonexistent. Shouldn't that person get an error page of some kind saying that the website cannot be found? Just like when we accidentally type in a wrong address and got nothing?
  2. Even though it works, how is anyone else besides the "hacker" himself affected if the change is not saved on the php file on the server? I mean it is the hacker who manually typed in the malicious code, and it is his browser that would download the affected web page.

I must've gotten some concepts wrong, badly. Please correct me. Thanks

Improve this question

1 Answer 1

Reset to default
1

This even works when the web address is nonexistent. Shouldn't that person get an error page of some kind saying that the website cannot be found? Just like when we accidentally type in a wrong address and got nothing?

Not if the web server is configured to allow extra data after the script path. In Apache, this is configured by the AcceptPathInfo Directive.

Even though it works, how is anyone else besides the "hacker" himself affected if the change is not saved on the php file on the server? I mean it is the hacker who manually typed in the malicious code, and it is his browser that would download the affected web page.

An XSS attack would require the attacker to get the target to visit this URL, so that the malicious payload would run in the target's browser. One way to do this would be to trick the target into clicking a malicious link.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

To expand on the second point, if facebook did this, then anybody who trust facebook links could be targeted. Also, the script could cause the user to send personal information to the attacker.
@Aleander Thanks for your answers. i think i got the idea now.