Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion

Perhaps XSS?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Perhaps XSS?

haphanhaphan Member
edited May 2012 in Help

Hi everyone, today i found something very strange in my user database. Some fields contain texts like following

!S!WCRTESTTEXTAREA000000!E!
!S!WCRTESTINPUT000002<><>%3c%3e!E!
!S!WCRTESTTEXTAREA000000!E!' and '7'='2

I googled and found that these texts appear everywhere. Do you have any idea?

Cheers.

Comments

  • vldvld Member
    edited May 2012

    Someone scanned your site for SQL/XSS (or more types) vulnerabilities, and those went past and got inserted in the database.
    If you're escaping (using PDO prepare or other type of sanitization/escaping) SQL queries before executing them, and you are encoding them before displaying them to the user (aka < becomes & lt ;) you should be fine as far as vulnerabilities of this type (database) go.

  • haphanhaphan Member
    edited May 2012

    @vld said: If you're escaping (using PDO prepare or other type of sanitization/escaping) SQL queries before executing them, and you are encoding them before displaying them to the user (aka < becomes & lt ;) you should be fine as far as vulnerabilities of this type (database) go.

    Thanks @vld, actually I did use PDO prepareStatement for all of my queries thus it makes this issue more serious for me. Besides, these texts do not look suspicious to me (or does it?)

    I lean toward XSS because it happened with authenticated users.

  • vldvld Member
    edited May 2012

    They look suspicious as they were an attempt to modify the sites behavior, potentially leading to more serious attacks (aka dumping the databases or worse). As long as you escape the data before output, you shouldn't be worried about XSS attacks.

    You could also add a character white list, to disallow any character that shouldn't be in a field (like <> in Name). This can be easily done with regex.

Sign In or Register to comment.