I was playing with OWASP Mutillidae II and in one page I\'ve found one vulnerabi

Question

I was playing with OWASP Mutillidae II and in one page I've found one vulnerability. In the address bar I've wrote something like :

127.0.0.1/.../?page=text-file-viewer.php/"><script>alert("test");</script>

the code work fine, but I don't have understand why? I explain better, I know what happen if I put this code in an input form, but I don't know what the address bar do! Surely I'm very inexpert and I' dont have a deeply knowledge of the most basic mechanism of a web brower, but how the address bar process the string that get? why my code work if I put it in the address bar? I hope that someone answer at my question, even if seems for dummies!

Explanation / Answer

The address bar doesn't do anything. It's the web application which appearently takes the URL and inserts it right into the HTML markup, leading to a cross-site scripting vulnerability.

This happens either server-side or client-side: Either the PHP script delivers the page with the URL already in it, or there's a piece of JavaScript code which injects the URL after your browser has received the HTML document.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.