I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all.
What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)
Cheers.
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.
PHP example:
<!doctype html>
<html lang=en>
<head><title>XSS test</title></head>
<body>
<form><input type=text name=xss><input type=submit></form>
<p>Result: <?= $_GET['xss'] ?></p>
</body>
</html>
JSP example:
<!doctype html>
<html lang=en>
<head><title>XSS test</title></head>
<body>
<form><input type=text name=xss><input type=submit></form>
<p>Result: ${param.xss}</p>
</body>
</html>
Alternatively you can redisplay the value in the input elements, that's also often seen:
<input type=text name=xss value=<?= $_GET['xss'] ?>>
resp.
<input type=text name=xss value=${param.xss}>
This way weird attack strings like /><script>alert('xss')</script><br class= will work because the server will render it after all as
<input type=text name=xss value=/><script>alert('xss')</script><br class=>
XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and by <, > and " so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.
