[英]Prototype Pollution script alert doesn't work
下面是我的代码。
<html>
<head>
<script src="https://code.jquery.com/jquery-3.5.1.js"></script>
<script src="https://raw.githack.com/alrusdi/jquery-plugin-query-object/9e5871fbb531c5e246aac2aaf056b237bc7cc0a6/jquery.query-object.js"></script>
<style>
.dropbtn {
background-color: #3498DB;
color: white;
padding: 16px;
font-size: 16px;
border: none;
cursor: pointer;
}
.dropbtn:hover, .dropbtn:focus {
background-color: #2980B9;
}
.dropdown {
position: relative;
display: inline-block;
}
.dropdown-content {
display: none;
position: absolute;
background-color: #f1f1f1;
min-width: 10px;
overflow: auto;
box-shadow: 0px 8px 16px 0px rgba(0,0,0,0.2);
z-index: 1;
}
.dropdown-content a {
color: black;
padding: 12px 16px;
text-decoration: none;
display: block;
font-size: small;
}
.dropdown a:hover {background-color: #ddd;}
.show {display: block;}
</style>
</head>
<body>
<h1 id="root"></h1>
<script>
function myFunction() {
document.getElementById("myDropdown").classList.toggle("show");
}
var pages = {
home: `HOME </br>
<div class="dropdown">
<button onclick="myFunction()" class="dropbtn">home</button>
<div id="myDropdown" class="dropdown-content">
<a href = "?page=about">about</a>
<a href = "?page=contact">contact</a>
</div>
</div>`,
about: `ABOUT </br>
<div class="dropdown">
<button onclick="myFunction()" class="dropbtn">about</button>
<div id="myDropdown" class="dropdown-content">
<a href = "?page=home">home</a>
<a href = "?page=contact">contact</a>
</div>
</div>`,
contact: `CONATCT </br>
<div class="dropdown">
<button onclick="myFunction()" class="dropbtn">contact</button>
<div id="myDropdown" class="dropdown-content">
<a href = "?page=home">home</a>
<a href = "?page=about">about</a>
</div>
</div>`
};
var pl = $.query.get('page');
// var pl = new URLSearchParams(window.location.search).get("page");
if (pl == null) {
document.location.search = "?page=home"
}
if(pages[pl] != undefined){
// $('#root').html(pages[pl])
document.getElementById("root").innerHTML = pages[pl];
}else{
document.location.search = "?page=home"
}
</script>
</body>
</html>
当我尝试对上述代码进行原型污染攻击时,例如这样,
https://exaple.com?page=hol&__proto__[hol]=<img src=x onerror=alert(1)></img>
它工作得很好,并给出了一个警报弹出窗口。
但是当我使用脚本标签时,它不会给我一个警报弹出窗口,例如这样,
https://exaple.com?page=hol&__proto__[hol]=<script>alert(1)</script>
任何人都可以帮助了解发生了什么事吗? 为什么<img>
标签有效,而<script>
标签无效?
带有<script>alert(1)</script>
的版本是无害的,因为 HTML5 指定不应执行使用innerHTML
插入的<script>
标记。
请参阅关于innerHTML
的 mdn - 安全注意事项。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.