The following HTML/PHP text is given:

The PHP text at start ensures that the message inserted at text area "message" is appended to an XML file "guestbook.xml". Thus, step by step the following type of an XML file is created at server side:

The PHP text in the middle ensures that the messages inserted by the users so far, are displayed to the current user. The goal is the presentation of a guestbook to the current user. The "echo" statements create the static part of the Web site.

To illustrate what happens: If "guestbook.xml" looks as shown above, the following Web site will be created

As you can see, no measures for the defence against cross side scripting are taken

Task 2a) Which goals do attackers pursue with Cross-Site Scripting?

Task 2a) What do you need to type into the text area "message", to achieve, that the headline is "hallo" instead of "Guests"?

Task 2b) What do you need to type into the text area "message", to achieve, that all the guest's opinions so far change to "Bad!"?

load ("gaestebuch. xml") topElement -$obj DOM->getElementsByTagName ("buch")->item (0) Smessage-$ REQUEST ['message' message node?obj DOM->createElement ("message") $topElement->appendChild (Smessage_node) ?message text node?objDOM->createTextNode (?message) ?message_node->appendChild (Smessage_text_node); ?obj DOM->save("gaestebuch. xml") echo 'Guests/>'; echo '

Opinion of the guests:

?messagelist$obj DOM->getElementsByTagName ("message"); if (Smessage_list->length 0) for (S1-0; $? length; $1++) { echo $i.":" $msg-node = Sme s sage-list->item ($i); echo "p>".Smsg node->childNodes-item (0)->data."I echo echo echo echo '

'?textarea name="message" cols="140" rows="20">'; 'input type="submit" value-"Abschicken"/>'; /form>" ?s