The files that comprise your team's website are on the
host www in the directory:
C:\Program Files\Apache Software Foundation\Apache2.2To defeat HTML injection attacks, we need to sanitize input. In the simplest case, that means disallowing <'s in user input. This site is a bit odd because the file
htdocs\index.html is actually regenerated every time
the script cgi-bin\survey.cgi is executed;
i.e. every time someone submits a comment. So, modifying
index.html doesn't solve anything, you have to modify
cgi-bin\survey.cgi.
The easiest way to defeat HTML injection is to replace any <'s
in submitted user input with ... well, with anything else! Let's
say with an X.
This can be done either client-side or server side. But for both,
we're going to have to modify the file
cgi-bin\survey.cgi.
cgi-bin\survey.cgi on
host www with Notepad. It includes a mix of HTML and
code in a language called Python. Find the HTML code with the
form for submitting comments. In particular, find the code for
the submit button. Replace onclick='submit()' with
onclick='
document.forms.survey.txt.value = document.forms.survey.txt.value.replace("<","X");
submit();'
cgi-bin\survey.cgi on
host www with Notepad. It includes a mix of HTML and
code in a language called Python. Even though you don't know
Python, you should be able to spot the point in the Python code at
which the variable comments gets its value and replace
form["txt"].value with
cgi.escape(form["txt"].value);
which will "escape" special HTML characters like < before the
Python script adds the comments to index.html.