堆栈内存溢出
  简体   繁体   English

为什么此XSS攻击不起作用?

[英]Why isn't this XSS attack functioning?

 原文  2014-03-11 19:46:48       javascript/ security/ xss

问题描述

Background 背景

I'm building up a website that lists organisations in my local area. 我正在建立一个列出本地组织的网站 The site is powered by an API and stores it's data in an instance of MongoDB. 该网站由API提供支持,并将其数据存储在MongoDB实例中。

I'm fetching JSON from the API and dynamically building the content in Javascript. 我正在从API提取JSON并以Javascript动态构建内容。

Now to test against XSS attacks I deliberately added some code to inject a Javascript alert into my page. 现在,为了测试XSS攻击,我特意添加了一些代码以向页面中注入Javascript警报。

But it's not working? 但这不起作用吗? Which obviously I'm happy about but I'm more confused as to why not. 显然,我对此感到满意,但对为什么不感到困惑。

The JSON JSON 

{
"_created": "Tue, 11 Mar 2014 19:27:30 GMT",
"_etag": "fd8102613204000414cceff538771453b984a2c6",
"_id": "531f63a246e29300025291ba",
"_updated": "Tue, 11 Mar 2014 19:27:30 GMT",
"description": "<script>alert('hello');</script>",
"tags": [
    "Antiques"
],
"title": "HTML Injection",
"url": "www.link.com"
}

the injected code 注入的代码 

<script>alert('hello');</script>

The code to retrieve the JSON and render it 检索JSON并呈现它的代码 

function S_GET(id) {
    var a = new RegExp(id+'=([^&#=]*)');
    return decodeURIComponent(a.exec(window.location.search)[1]);
}

// retrieves languages and adds them to a list
var organisationId = S_GET('organisationId');

var url = 'http://damp-island-8192.herokuapp.com/organisations/' + organisationId;


var dataRequest = new XMLHttpRequest();
dataRequest.open('GET',url, false);
dataRequest.onreadystatechange = processJSON;
dataRequest.send();

function processJSON() {
    if ( dataRequest.readyState == 4 && dataRequest.status == 200 ) {    
        showJSON(dataRequest.responseText);
    }
}

function showJSON(input) {

    //dom elements
    var list = document.createElement('ul');
    list.setAttribute('id', 'organisation-details-list');

    var organisation = JSON.parse(input);

    // list organisation details
    // title
    var title = document.createElement('li');
    title.setAttribute('class', 'organisation-title');
    title.innerHTML = organisation.title;
    list.appendChild(title);
    // description
    var desc = document.createElement('li');
    desc.setAttribute('class', 'organisation-desc');
    desc.innerHTML = organisation.description;
    list.appendChild(desc);
    // link
    var link = document.createElement('li');
    link.setAttribute('class', 'organisation-link');
    var a = document.createElement('a');
    a.setAttribute('href', organisation.url);
    a.innerHTML = organisation.url;
    link.appendChild(a);
    list.appendChild(link);

document.getElementsByClassName('organisation')[0].appendChild(list);
};

The HTML HTML 

<!DOCTYPE html>
<head>
    <title>Moving To Leicester</title>
    <link rel="stylesheet" type="text/css" href="css/styles.css">
</head>
<body>
    <div class="container">
        <div class="header">
            <ul class="nav nav-pills dropdown-menu-right">
                <li class="active"><a href="splash-page.html">Home</a></li>
                <li><a href="#">About</a></li>
                <li><a href="#">Contact</a></li>
            </ul>
        </div>
        <div class="row padding-top-5">
            <div class="col-md-2">
                <!--Sidebar content-->

            </div>
            <div class="col-md-10">
                <!--Body content-->
                <div class="organisation"></div>

            </div>
        </div>
    </div>
    <script type="text/javascript" src="http://code.jquery.com/jquery-1.11.0.min.js"></script>
    <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"></script>
    <script type="text/javascript" src="js/organisation-details-page.js"></script>
</body>
</html>

Question

Why doesn't the page trigger an alert when I'm viewing it? 当我查看页面时,为什么页面没有触发警报?

1 个解决方案

解决方案1
 0 已采纳  2014-03-11 20:06:22

To my knowledge inserting executable Javascript via AJAX is somewhat limited. 据我所知,通过AJAX插入可执行Javascript受到一定限制。 You cannot just get code via AJAX, put it in a LI's innerHTML an have it executed. 您不能只通过AJAX获得代码,就将其放在LI的innerHTML中并执行它。 This is what you do: 这是你做的: 

var organisation=JSON.parse(input);
var title=document.createElement('li');
title.setAttribute('class','organisation-title');
title.innerHTML=organisation.title;
list.appendChild(title);

However, one work-around could be if you change your injection into this: 但是,一种解决方法是将注射更改为: 

<iframe src='/' width='1' height='1' onload='window.alert("boo");'></iframe>

I think that would inject itself. 我认为这将注入自我。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么我的XSS攻击虚拟网站不起作用? - Why isn't my XSS attack on a dummy website working? 为什么这个 if 语句不起作用? - Why isn't this if statement functioning? 为什么我的消息框不起作用? - Why isn't my message box functioning? 我无法运行 xss 攻击 - I can't run an xss attack 无法弄清楚为什么setTimeout()无法正常运行 - can't figure out why setTimeout() isn't functioning properly 为什么我的 JavaScript 登录不能正常运行? - Why isn't my JavaScript Login not functioning correctly? clearInterval无法正常运行 - clearInterval isn't functioning properly 拖放功能不起作用? - drag and drop isn't functioning? jQuery Bootstrap无法运行 - jQuery Bootstrap isn't functioning 反映的XSS:为什么必须将攻击有效负载反映到受害者的浏览器? - Reflected XSS: Why must attack payload be reflected to victim's browser?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM