谁能解释这些XSS测试字符串？ [英] Could anyone explain these XSS test strings?

问题描述

最近我找到了关于XSS和Web应用程序安全性的本教程 - > https://www.owasp.org/ index.php / XSS_Filter_Evasion_Cheat_Sheet＃XSS_Locator

在开始时，要注入一些字符串以测试站点是否容易受到xss攻击。这些字符串是：

 '; alert（String.fromCharCode（88,83,83））//'; alert（String .fromCharCode（88,83,83））//; 
 alert（String.fromCharCode（88,83,83））//; alert（String.fromCharCode（88,83,83））// -  
>< / SCRIPT>>'>< SCRIPT> alert（String.fromCharCode（88,83,83））< / SCRIPT> 
  

和

 '';！ -  - < XSS> =& {（）} 
  

我知道XSS的基本概念，但在这里我无法理解为什么在第一个字符串中重复'alert（String.fromCharCode（88,83,83））'以及为什么那些 //'; // // - > 需要注释（在搜索xss错误时以这种方式使用它们意味着什么？）。
并在第二个字符串中& {（）}序列的目的是什么？

任何人都可以通过具体示例来解释这两个字符串应该如何工作为了检索Web应用程序中的xss错误？在我链接的网站上的原因没有给出解释...

解决方案

这看起来好像正在尝试几次不同的注射，所以我'我会尝试一次打破一个：

第一次注射

 '; alert（String.fromCharCode（88,83,83））// 
  

这注入尝试终止JavaScript字符串文字（使用'），然后终止语句（使用; ）并制作一个调用 alert（String.fromCharCode（88,83,83））这将导致弹出框包含XSS。以下 // 是尝试注释掉语句的其余部分，因此不会发生语法错误并且脚本将执行。

第二次注射

 ; alert（String.fromCharCode（88,83,83） ））// 
  

像第一次注射一样，但它使用试图终止JavaScript字符串文字。

第三次注入

   - >< / SCRIPT>>'>< SCRIPT> alert（String.fromCharCode（88,83,83））< / SCRIPT> 
  

这会尝试执行以下操作：

1. 终止HTML（或XML）评论（ - > ）


2. 终止现有< SCRIPT> 标签使用< / SCRIPT>
   
   
   
   • 这样做是为了防止注入的脚本导致语法错误，这将阻止注入的脚本执行。
   
   


3. 终止HTML属性和标记，使用>


4. 终止HTML属性和标记，使用'>


5. 使用< SCRIPT> alert（String.fromCharCode）注入JavaScript （88,83,83））< / SCRIPT>

第四次注射

 '';！ - < XSS> =& {（）} 
  

这是一个常用字符串，用于测试用户输入上使用的过滤器和/或编码（如果有）。通常，此注入后页面的来源将包含& lt; XSS 或< XSS 。如果找到第二个，则应用程序很可能不会过滤用户输入（因为它允许添加任意标记）并且可能容易受到XSS的攻击。<​​/ p>

---

回答更直接的问题：

为什么重复'alert（String.fromCharCode（ 88,83,83））'

这是一个常见的概念证明功能，会导致弹出框出现包含XSS。如果发生这种情况，则执行注入的JavaScript。

为什么会重复'alert（String.fromCharCode（88,83,83）） ）'在第一个字符串中为什么这些//'; //; // - >

这些用于防止语法错误，这可能导致注入的JavaScript无法执行。

recently I found this tutorial about XSS and web application security -> https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator

At the start there are some strings to inject in order to test that a site is vulnerable to xss or not. These strings are:

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 

and

'';!--"<XSS>=&{()}

I know the basic concepts of XSS, but here I can't understand why there's that repetition of 'alert(String.fromCharCode(88,83,83))' in the first string and why those //'; //"; //--> comments are needed for (do they mean something special when used in such a way whilesearching for xss bugs?). And in the second string, what is the purpose of the &{()} sequence?

Could anyone exlain me with concrete examples how this two strings should work in order to retrieve an xss bug inside a web app? Cause on the site I linked no explanation is given...

解决方案

This looks like it's trying several different injections, so I'll try and break them down one at a time:

The First Injection

';alert(String.fromCharCode(88,83,83))//

This injection attempts to terminate a JavaScript string literal (using '), then terminate the statement (with ;) and makes a call to alert(String.fromCharCode(88,83,83)) which will cause a popup box containing "XSS". The following // is an attempt to "comment out" the rest of the statement, so that a syntax error will not occur and the script will execute.

The Second Injection

";alert(String.fromCharCode(88,83,83))//

Like the first injection, but it uses " in an attempt to terminate a JavaScript string literal.

The Third Injection

--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

This attempts to do the following things:

1. Terminate an HTML (or XML) comment (with -->)
2. Terminate an existing <SCRIPT> tag using </SCRIPT>
   • This is done to prevent the injected script causing a syntax error, which would prevent the injected script from executing.
3. Terminate an HTML attribute and tag, using ">
4. Terminate an HTML attribute and tag, using '>
5. Inject JavaScript using <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

The Fourth Injection

'';!--"<XSS>=&{()}

This is a common string used to test what, if any, filters and/or encoding are being used on user input. Typically, the source of the page after this injection will contain either <XSS or <XSS. If the second is found, the application is most likely not filtering user input (as it allowed the addition of an arbitrary tag) and is likely vulnerable to XSS.

---

To answer your more direct questions:

why there's that repetition of 'alert(String.fromCharCode(88,83,83))'

This is a common "Proof of Concept" function, that will cause a popup box to appear containing "XSS". If this occurs, the injected JavaScript was executed.

why there's that repetition of 'alert(String.fromCharCode(88,83,83))' in the first string and why those //'; //"; //-->

These are used to prevent syntax errors, which can cause the injected JavaScript to fail to execute.

这篇关于谁能解释这些XSS测试字符串？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！