创建XSS易受攻击的网页 [英] Creation of XSS vulnerable web page

问题描述

我想创建一个XSS易受攻击的网页，该网页执行在输入框中输入的脚本.在这里，我已经编写了这段代码，但是无论何时输入脚本，都不会发生.

I want to create a XSS vulnerable web page which execute script entered in input box. Here I have written this code but whenever I enter script nothing happens.

<html>

<head>
</head>

<body>
<script type="text/javascript">
function changeThis(){
    var formInput = document.getElementById('theInput').value;
    document.getElementById('newText').innerHTML = formInput;
    localStorage.setItem("name","Hello world!!!");
}
</script>

<p>You wrote: <span id='newText'></span> </p> 

<input type='text' id='theInput' value='Write here' />
<input type='button' onclick='changeThis()' value='See what you wrote'/>
</body>

</html>

请帮助.我应该如何修改代码?
更新:我试图做反映的XSS.据我说，如果我在输入中输入脚本，它应该执行.仅当我不检查用户是否输入了有效输入并且采取措施不执行脚本时，才会发生这种情况.
这是一个网页 www.insecurelabs.org/task/Rule1 ，当我键入以下脚本时，该网页容易受到XSS攻击:< script>alert("hell");输入字段脚本中的</script> 执行.
我想知道这和我在做什么之间的主要区别是什么?

Please help. How should I modify the code?
Update: I was trying to do reflected XSS. According to me if I enter a script in input It should execute. This will happen only when I am not checking that user has entered a valid input or not and taking actions not to execute script.
Here is a web page www.insecurelabs.org/task/Rule1 which is XSS vulnerable when ever I type a script like: <script> alert("hell"); </script> in input field script executes.
I want to know what is the main difference between that and what I am doing?

推荐答案

如果您使用innerHTML注入脚本标签...该脚本将无法运行！

If you use innerHTML to inject a script tag... the script won't run!

相反，您可以做的是使用onload事件处理程序注入图像:

What you could do instead is inject an image with an onload event handler:

<img src="someImage.gif" onload="alert('hacked!')" />

[更新]关于您的最后一个问题:主要区别在于您使用的是innerHTML，而insecurelabs页面使用的是jQuery.html().jQuery方法将运行脚本.

[Update] About your last question: the main difference is that you are using innerHTML, while the insecurelabs page is using jQuery.html(). The jQuery approach will run the script.

实时演示: http://jsfiddle.net/wqqWt/

这篇关于创建XSS易受攻击的网页的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！