Security

Facebook Twitter

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation 16 April 2002 This Version: Latest Version: Previous Version: Editor: Massimo Marchiori, W3C / MIT / University of Venice, (massimo@w3.org) Authors: Lorrie Cranor, AT&T Marc Langheinrich, ETH Zurich Massimo Marchiori, W3C / MIT / University of Venice Martin Presler-Marshall, IBM Joseph Reagle, W3C/MIT Please refer to the errata for this document, which may include some normative corrections.

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification

See also translations. Copyright ©2002 W3C® (MIT, INRIA, Keio), All Rights Reserved. Abstract. Parameter Manipulation. When a user makes selections on an HTML page, the selection is typically stored as form field values and sent to the application as an HTTP request (GET or POST).

Parameter Manipulation

HTML can also store field values as Hidden Fields, which are not rendered to the screen by the browser but are collected and submitted as parameters during form submissions. Whether these form fields are pre-selected (drop down, check boxes etc.), free form or hidden, they can all be manipulated by the user to submit whatever values he/she chooses. In most cases this is as simple as saving the page using "view source", "save", editing the HTML and re-loading the page in the web browser. As an example an application uses a simple form to submit a username and password to a CGI for authentication using HTTP over SSL. The username and password form fields look like this. Example 2 - Take the same application. By manipulating the hidden value to a Y, the application would have logged the user in as an Administrator. Drx: Internet Security [Computers: Security: Internet] - loadaverageZero.

XSS (Cross Site Scripting) Cheat Sheet. Last revision (mm/dd/yy): 04/7/2014 This cheat sheet is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

XSS (Cross Site Scripting) Cheat Sheet

Please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the scripts. XSS Locator Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. Use this URL encoding calculator to encode the entire string. ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> XSS locator 2 No Filter Evasion This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here): No quotes and no semicolon INPUT image.