By injecting Javascript code, an attacker can steal the user's cookie and take over the user's account. This happened because of the lack of security implementation fortype parameter. This was tested on demo website
Before using any user's input, make sure to verify and sanitize it properly, trust nothing that's sent from the client. In the case of XSS, please consider using htmlentities() function to encode the user's input before printing it out to the user's screen
The text was updated successfully, but these errors were encountered:
Description
By injecting Javascript code, an attacker can steal the user's cookie and take over the user's account. This happened because of the lack of security implementation for
typeparameter. This was tested on demo websiteExploitation
Injection point:
HTTP://demo/EmailCheckOthers.php?opt=<script>alert(1)</script>&email=asfasfRequest:
Response:
Solution:
Before using any user's input, make sure to verify and sanitize it properly, trust nothing that's sent from the client. In the case of XSS, please consider using
htmlentities()function to encode the user's input before printing it out to the user's screenThe text was updated successfully, but these errors were encountered: