跨站脚本注入 [英] Cross Site Scripting injection
问题描述
我正在测试一个网络应用程序.我想编写一个 XSS 脚本来显示警报 "Hello".
我写的第一个脚本是:
<script >alert("Hello");</script >但是没有显示警报"Hello".我发现有效的 XSS 脚本是
<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >我想知道为什么第一个脚本不起作用.
该站点很可能用 HTML 实体替换了双引号,或者试图以某种其他方式对它们进行转义,使它们不适用于 JavaScript.使用 String.fromCharCode(...) 时,您不必使用任何引号,因此它会起作用.它获取字符串字符的 ASCII 代码列表,并在运行时从中创建一个字符串.所以不需要任何引用.
避免这种 XSS 的正确方法是将 < 替换为 < - 这样就无法创建脚本标签.>
请注意,在清理包含 HTML 的数据时,>、" 和 & 也应替换为各自的 HTML 实体!但是,假设在 HTML 属性中不能使用不受信任的数据(这就是 " 需要清理的地方)
I am testing a web application. I want to write an XSS script that will display an alert "Hello".
The first script I wrote was:
<script >alert("Hello");</script >
But did not display the alert "Hello". I discovered that the XSS script that works is
<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >
I would like to know why the first script didn't work.
Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript.
When using String.fromCharCode(...) you don't have to use any quotation marks so it'll work. It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. So there's no need for any quoting.
The proper way to avoid this kind of XSS is to replace < with < - that way a script tag cannot be created at all.
Note that >, " and & should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only < is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where " needs to be sanitized)
这篇关于跨站脚本注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
