I'm doing a penetration testing of php app. I know that before user data is
echoed to the page it goes through htmlentities() php function like this:
$filtered_data = htmlentities( $data ) ;
$data is some user data that was entered earlier. Then $ filtered_data is
echoed sometime later.
Is there a way inject code into this application, so later when it gets
echoed back to the users my code gets executed?
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
I'm doing a penetration testing of php app. I know that before user data is
echoed to the page it goes through htmlentities() php function like this:
$filtered_data = htmlentities( $data ) ;
$data is some user data that was entered earlier. Then $ filtered_data is
echoed sometime later.
Is there a way inject code into this application, so later when it gets
echoed back to the users my code gets executed?
Thanks,
Serge
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]