使用故意的HTML注入创建HTML [英] Creating HTML with intentional HTML Injection
问题描述
我是一名网络安全专业的学生,试图了解一些基本的HTML注入。我已经在这段代码上工作了几天,无法理解我做错了什么。我当前拥有的代码允许注入,例如,如果将< h1> test< / h1> 放入文本框,它将显示test作为标题。但是,如果我尝试< script> alert(1)< / script> ,则实际上不会运行该脚本。我尝试将文本框的值设置为,或者想到可以通过在文本框中输入以下内容来结束该行:>< script> alert(1)< ; / script>
I am a cybersecurity student trying to understand some basic HTML injections. I have been working on this code for a few days and can't understand what I am doing wrong. The code that I have currently does allow for injection, for example if I put <h1>test</h1> into the textbox, it will display test as a header. But if I try <script>alert(1)</script> it won't actually run the script. I have tried setting the value of the text box to "" or with the thought that I could close out that line by inputting the following into the textbox: "><script>alert(1)</script>
我还试图通过在末尾添加注释来取消代码的其余部分:< script> alert(1)< / script><!-
I've also tried to cancel out the remainder of the code by adding a comment to the end like this: <script>alert(1)</script><!--
我尝试了每种组合的运气不佳,现在我实际上需要能够注入脚本,因为我正在使用CSP以及它如何影响脚本向网页中的注入。我目前没有指定csp来限制我已经尝试过其他一些事情,包括使用不同的浏览器,更改浏览器安全性以及确保在浏览器中启用JavaScript。任何帮助将不胜感激!
I've tried a number of combinations of each with no luck. Now I actually need to be able to inject a script since I'm playing around with CSP and how that affects injection of scripts into the webpage. I currently DO NOT have a csp specified that would restrict the JavaScript from running. Some other things I've tried include using different browsers, changing browser security, and ensuring that JavaScript is enabled in the browser. Any help would be greatly appreciated!!
<html>
<script language='JavaScript'>
function getwords(){
textbox = document.getElementById('words');
label = document.getElementById('label');
label.innerHTML = textbox.value;
}
</script>
<body>
<input type="text" id="words">
<input type="button" onclick="getwords()" id="Button" value="Enter" />
<label id="label">
</label>
</body>
</html>
推荐答案
这是因为< script> ; 在页面加载时运行,并且,当标签的内容更改时,脚本已经运行。
That's because <script>s run at page load, and, when the label's content change, the scripts have ran already.
但是,如果您将< script> 标记注入到另一个页面(通过后端(XSS表示 Cross-Site 脚本)),它确实可以工作。
However, if you inject <script> tags to a different page (through the backend (XSS means Cross-Site Scripting)), it does work.
或者,使其在以下情况下可以正常工作:将内容插入之后页面加载(例如您的情况),您可以使用JS事件(例如 onclick )运行代码:
Alternatively, to make it work in a scenario, where the content injected after page load (like your case), you can use JS events (like onclick) to run your code:
<div onclick="alert(1)">Click me!</div>
或者,要在没有用户交互的情况下执行它,可以使用< iframe> 的 onload 事件:
Or, to execute it without user interaction, you could use an <iframe>'s onload event:
<iframe onload="alert(1)" style="display:none"></iframe>
这篇关于使用故意的HTML注入创建HTML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
