Home > Forums › IIS 5.x & 6.0 › Security › cross-site scripting - manipulating the query string

Thread: cross-site scripting - manipulating the query string

Last post 01-31-2008 7:11 AM by p_v_anil. 0 replies.

Average Rating Rate It (5)Thank you for the rating!

RSS

Page 1 of 1 (1 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

01-31-2008, 7:11 AM

p_v_anil
Joined on 01-31-2008, 7:06 AM
Posts 1

cross-site scripting - manipulating the query string

Reply Contact

Hi,

Is it possible to manipulate the query string generated using the hidden or un-editable fields in the asp.net web page by an unauthorized user trying to exploit XSS vulnerability?Eg: We have a textbox txtUser with the maximum length property set to 15. This field is a read only field in the webpage and is used to construct the query string as belowhttp://localhost/MyApp/Code/ChangePasswd.aspx?UserId=XXX (XXX is the value from the textbox txtUser).

How is it possible for the hacker trying to exploit the XSS vulnerability on the web application to replace this value passed to the query string with the malicious jscript code?

Regards,

Anil

Page 1 of 1 (1 items)