I have been assigned to test a website that another group has just created. I have discovered
that it is prone to XSS attacks. However, it does not really throw
up an error or any valid information when I use JS with PHP:
i.e. var someVar = <?php echo 'a'; ?>
alert(someVar);
This led to my assuming that a site prone to XSS attacks may not necessarily allow php code
to be injected. Am I correct? If not, is there anything with the segment that I posted above?
And, the reason I haven't tried php injection via the GET variables is that I do
not use anything of the form page.php?id='', that queries the database, as of now, except for
the registration and login part, which is via POST.
This led to my assuming that a site prone to XSS attacks may not necessarily allow php code to be injected. Am I correct?
Yes, of course.
XSS attacks has nothing to do with PHP code injections. It's all about JS code injection
JavaScript runs on a client side, Php runs on a server side. There's no way you can execute php on a client side using JavaScript. Check more at wiki.
What you can try to do is posting some js code wrapped in tag from any website input field, if it's value isn't validating on a server side and goes directly to db and displaying somewhere on site pages after you'l see js code executing, as other clients will do, so js code may do some funny stuff on client computers