We had a WhiteHat scan done of our site, and one of the vulnerabilites they returned was our URL appended with whscheck'*alert(13)*'a/
. When we run the full URL (https://oursite.com/phorders3/index.php/whscheck'*alert(13)*'a/
), the site loads and an alert with the value of 13 pops. Can anyone explain how this works? What exactly are the asterisks and the a/
doing?
The code in your page is using the value from the URL in a string literal in the Javascript, without escaping the value properly. That means that anyone can just put Javascript in the URL and it will execute in the page.
That could for example be used for cross site scripting by linking to your site with such an URL, and when someone uses the link the script will run in their browser, pick up some information that is private to that user and send it somewhere.
The apostrophes and the asterisks are used to break out of a string literal. If you have some code like this in the Javascript in the page:
var s = '<? echo $variable ?>';
where the variable contains the value from the URL, it would end up like this in the rendered page:
var s = 'whscheck'*alert(13)*'a';
The apostrophe makes the string literal end, and makes the following expression a part of the Javascript code instead of content in a string.
The asterisk is just an operator between the expressions. It's easier to put in an URL than the +
operator that would otherwise be a natural choise.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With