跨站点脚本注入
[英]Cross Site Scripting injection
问题描述
I am testing a web application. 
我正在测试一个Web应用程序。 I want to write an XSS script that will display an alert "Hello" . 我想编写一个显示警告"Hello"的XSS脚本。
The first script I wrote was: 我写的第一个脚本是:
<script >alert("Hello");</script >
But did not display the alert "Hello" . 但没有显示警报"Hello" 。 I discovered that the XSS script that works is 我发现有效的XSS脚本是
<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >
I would like to know why the first script didn't work. 我想知道为什么第一个脚本不起作用。
1 个解决方案
解决方案1
7 已采纳 2013-02-28 12:36:16
Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript. 很可能该网站用HTML实体替换双引号或尝试以某种其他方式转义它们使它们不适合JavaScript。 When using String.fromCharCode(...) you don't have to use any quotation marks so it'll work. 使用String.fromCharCode(...)您不必使用任何引号,这样它就可以工作。 It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. 它获取字符串字符的ASCII代码列表,并在运行时创建一个字符串。 So there's no need for any quoting. 所以不需要任何引用。
The proper way to avoid this kind of XSS is to replace < with < 避免这种XSS的正确方法是替换< with < - that way a script tag cannot be created at all. - 这样就根本无法创建脚本标记。
Note that > , " and & should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only < is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where " needs to be sanitized) 请注意> , "和& "在清理包含HTML的数据时也应该用它们各自的HTML实体替换!但是,假设在HTML属性中没有不受信任的数据可用,那么只有<才能打败XSS攻击(这就是"需要的地方"消毒)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.