Cross Site Scripting injection
Question
I am testing a web application. I want to write an XSS script that will display an alert "Hello" .
The first script I wrote was:
<script >alert("Hello");</script >
But did not display the alert "Hello" . I discovered that the XSS script that works is
<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >
I would like to know why the first script didn't work.
1 answers
solution1
7 ACCPTED 2013-02-28 12:36:16
Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript. When using String.fromCharCode(...) you don't have to use any quotation marks so it'll work. It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. So there's no need for any quoting.
The proper way to avoid this kind of XSS is to replace < with < - that way a script tag cannot be created at all.
Note that > , " and & should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only < is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where " needs to be sanitized)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.