是否可以通过内部带有JSP代码的html注释进行XSS攻击? [英] Is it possible to make XSS attacks through html comments with JSP code inside?

问题描述

以下代码是否确实为某些JSP页面添加了XSS漏洞?

Is it true that following code adds a XSS vulnerability to some JSP page?

<!--    <%=paramName%>=<%=request.getParameter(paramName)%><BR>  -->

它看起来像一个剩余调试"，绝对应该从代码中删除，但这有多危险?

It looks like a "leftover debug" and definitely should be removed from the code, but how dangerous is it?

推荐答案

是的，您正在查看的是反射性XSS攻击.这很危险，因为它允许攻击者劫持经过身份验证的会话.如果您在系统上运行此代码，则攻击者将能够访问其他人的帐户而无需知道其用户名/密码.

Yes, what you are looking at is a reflective XSS attack. This is dangerous because it allows an attacker to hijack an authenticated session. If you have this code running on your system, an attacker will be able to access other peoples accounts without needing to know their username/password.

XSS漏洞也可以用来绕过 CSRF保护.这是因为XSS允许攻击者使用XmlHTTPRequest读取CSRF令牌的值. XSS也可以用来欺骗引荐检查.

XSS vulnerabilities can also be used to bypass CSRF protection. This is because XSS allows the attacker to read the value of a CSRF token using XmlHTTPRequest. XSS can also be used to fool referer checks.

这是手动测试xss的简单方法，在这里，我打破了HTML注释来执行javascript.

Here is simple way to manually test for xss, here i am breaking out of the HTML comment to execute javascript.

http://localhost/xss_vuln.jsp?paramName='--><script>alert(document.cookie)</script><!--' 

这是免费的 xss扫描器，您应该测试所有您编写的应用程序.

This is a free xss scanner, you should test all applications that you write.

这篇关于是否可以通过内部带有JSP代码的html注释进行XSS攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！