|Who's watching your surfing?
||[Oct. 4th, 2009|07:45 am]
I've found internet based admin pages for viewing visitor page request logs seldom filter out HTML, as the data is coming from log files... so how would HTML get in there!?|
Well, if you change the request header your browser sends out using a suitable program, like the Proxomitron, you can inject HTML into the pages that are displaying the logs.
Here's the basic version of a suitable Internet GET header request, containing embed HTML in pink:
Now, if this data is ever displayed in an admins browser - your server logs will record the image hit, and the page it came from. =)
I've found many unprotected admin pages like this...