What type XSS this is and how to prevent it
Question
Here is the code of example.com that I saved to my computer desktop as index.html:
<channel> <title>Comments on: Voor uw organisatie</title> <atom:link href="https://example.com/feed/" rel="self" type="application/rss+xml" /> <link>https://example.com</link> <description>PIM: Wie weet wat van mij?</description> <lastBuildDate>Mon, 17 Sep 2018 13:22:52 +0000</lastBuildDate> <sy:updatePeriod>hourly</sy:updatePeriod> <sy:updateFrequency>1</sy:updateFrequency> <generator>https://wordpress.org/?v=4.9.3</generator> </channel>
I opened that file in a text editor and changed
<generator>https://wordpress.org/?v=4.9.3</generator>
to
<generator>"><img src="x" onerror="alert(document.cookie)"></generator>
When I opened the modified HTML file in Firefox I get an alert box with cookies. I know it is XSS, because I am getting that XSS alert in my browser.
My question is why is this happening? Cause I didn't injected this code in a parameter. So how can developer fix this or sanitize this code?
Is there any impact of this?
2 answers
solution1
1
Given a website run by Alice and visited by Bob, an XSS attack would occur when Mallory (an attacker) caused JavaScript to run in Alice's browser on Bob's website.
Alice editing an HTML document on her computer (even one copied from another website) so it runs JavaScript, and then loading that HTML document in her browser is not performing an XSS attack. She is just running JavaScript on a system she has complete control over.
solution2
0 2018-09-17 20:45:14
This isn't XSS, this is broken HTML. The alert is a false positive.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.