The files that comprise your team's website are on the
host www
in the directory:
C:\Program Files\Apache Software Foundation\Apache2.2To defeat HTML injection attacks, we need to sanitize input. In the simplest case, that means disallowing <'s in user input. This site is a bit odd because the file
htdocs\index.html
is actually regenerated every time
the script cgi-bin\survey.cgi
is executed;
i.e. every time someone submits a comment. So, modifying
index.html
doesn't solve anything, you have to modify
cgi-bin\survey.cgi
.
The easiest way to defeat HTML injection is to replace any <'s
in submitted user input with ... well, with anything else! Let's
say with an X
.
This can be done either client-side or server side. But for both,
we're going to have to modify the file
cgi-bin\survey.cgi
.
cgi-bin\survey.cgi
on
host www
with Notepad. It includes a mix of HTML and
code in a language called Python. Find the HTML code with the
form for submitting comments. In particular, find the code for
the submit button. Replace onclick='submit()'
with
onclick=' document.forms.survey.txt.value = document.forms.survey.txt.value.replace("<","X"); submit();'
cgi-bin\survey.cgi
on
host www
with Notepad. It includes a mix of HTML and
code in a language called Python. Even though you don't know
Python, you should be able to spot the point in the Python code at
which the variable comments
gets its value and replace
form["txt"].value
with
cgi.escape(form["txt"].value);which will "escape" special HTML characters like < before the Python script adds the comments to index.html.