[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] XSS Javascript scripting

From: Miguel González Castaños <miguel_3_gonzalez@xxxxxxxx>
Subject: [WEB SECURITY] XSS Javascript scripting
Date: Sat, 28 Nov 2009 03:14:54 +0100

Hi all,

I'm keep on working on my computer security course assignments. Now I have to build a XSS attack on a PHP form. I have checked that i can insert javascript scripts. I'm including a .js file so I can get the data of this form:

<form method="post">
     <table style="border:1; margin-top:50px;" align="center";>
            <tr>
                <td>Usuario</td>
                <td><input class="c1" type="text" name="usuario"></td>
            </tr>
            <tr>
                 <td>Password</td>

                 <td><input class="c1" type="text" name="password"></td>
            </tr>
            <tr>
                <td colspan="2" align="right">
                    <input class="c1" type="submit" name="enviar" value="Acceder">
                </td>
            </tr>
     </table>
</form>

The question is that the HTML form has no name. How can I trap the onsubmit event? Document.forms[0].onsubmit doesn't to work...I have googled and this seems to be the way to access the forms...

  What am I doing wrong?

 Miguel

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: Re: [WEB SECURITY] Known Safe JDBC Drivers
Next by Date: Re: [WEB SECURITY] Links for tutorials on false positives
Previous by thread: [WEB SECURITY] Known Safe JDBC Drivers
Next by thread: [WEB SECURITY] Fingerprinting of Apache
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site