Form Input & Hacking

[uniopp]

Are there any characters or combination of characters that could be input into a html form to hack, cause server damage or access restricted data??
What I'm trying to determine is whether I should create regular expressions to limit what can and can't be input into my form fields?
Any advise would be much appreciated.
Thank you.
Simon.

 

[PaulTEG]

HTML forms can be open to scripting attacks, where a schmuck decides to insert script commands.

<script language=&quot;JavaScript&quot; src=&quot;[URL unfurl="true"]http://myserver.com/scripts/STBU.js&quot;></script\>[/URL]

If this is stored to be echoed to the screen, the script will activate, whatever the payload.

There are other forms of scripting attacks, it'd be worthwhile to do a google on it

HTH ;P

 

[goBoating]

See,

http://www.w3.org/Security/Faq/www-security-faq.html

and

http://www.gunther.web66.com/FAQS/taintmode.html

and

http://www.perl.com/pub/a/2001/01/begperl6.html#taint

just a few to start with..... enjoy ;-) 'hope this helps

If you are new to Tek-Tips, please use descriptive titles, check the FAQs, and beware the evil typo.