User talk:CSteipp (WMF)/Training/VulnTagging easy

Answers

edit

This script is vulnerable to SQL injection, and XSS.

  • SQL Injection

This line is vulnerable to SQL Injection:

array( "vt_article_id = $articleId" ),

An attacker can pass in an articleid to the parser function call

  • XSS

These line are vulnerable to Cross-site Scripting:

foreach ( $res as $tag ) {
	$tags[] = "<li class='tag' id='tag-".$tag->vt_tid."'>".$tag->vt_tag_text."</li>";
}
return "<ul id='vuln-tag-list' class='tags-for-$articleId'>" . implode( "\n", $tags ) . "</ul>";

If an attacker has stored a vt_tag_text in the database containing "<script>alert(1)</script>", then the javascript will execute. If vt_tid is a string in the database, it will also be vulnerable to xss, if the attacker adds a string like "' onclick='alert(1);"

Return to the user page of "CSteipp (WMF)/Training/VulnTagging easy".