Saturday, 22 March 2014

Well Known Hacks II: XSS (Server-side: 'GET' Method)

In this post I briefly talk about how some people take advantage of security flaws in server-side scripts. One very common way is by passing some variables to a script. Before getting to talk about this, I need to talk about 'GET' and 'POST' methods in form submissions. In this post talk about 'GET' method, and in next post I will post things about 'POST' method :).

Once you submit a form on a webpage (such as Login form, sign up form, etc.)  the data you entered in each of the text fields are passed to a script (could be the same script, or another script on the same domain), and that script handles your data. The data passed to the script are usually transferred using either of the 'GET' or 'POST' methods. The main difference (in terms of their behaviour) of these two is that if the field data are passed using 'GET' method, all the variable values can be seen in the URL. To make this clear let me show you an example. Let's inspect the following link that searches a query in

As you saw, after you clicked on the link, it searched the query "behnam azizi cgi" using Bing search engine. This is obviously done using 'GET' method as you can see the value of the variables passed to the script (In this case variable q has value "behnam azizi cgi". In other words q="behnam azizi cgi"). Now what the script on the server does is that it reads the value of the variable 'q' and uses the search engine to search for this query.

Of course, in my opinion, this is an advantage of Bing (As far as I know Google does not allow you to do this probably because of security issues), that you can search something using 'GET' method. One advantage that it has is that if you are working on an application and inside the application you want to allow the user to search the web, you can easily use Bing search engine (I bet Microsoft did this on purpose so at least some developers use Bing).

It is true that no one would use Bing transfer user's private data (such as username, password, etc.) using 'GET' method (sorry for the scratch. I forgot to write in pencil :) ). But it is always useful to know about the existence of such a thing (I know from now on you will be using Bing as your favorite search engine :D ).

In the next post I will talk about post method, and (possible) ways that it could be exploited.

No comments:

Post a Comment