什么使得输入易受XSS影响？ [英] What makes an input vulnerable to XSS?

问题描述

我一直在阅读关于XSS的内容，并且用一个文本和提交输入做了一个简单的表单，但是当我执行< script> alert（）;< / script> 就可以了，没有任何反应，服务器获取该字符串，就这些了。

我必须做些什么才能让它变得脆弱？ （然后我会学习我不应该做的嘿嘿）

干杯。

解决方案

事实上，只要让服务器输出它就可以将输入字符串有效地嵌入到HTML源代码中，然后返回给客户端。

PHP示例： / p>

 <！doctype html> 
< html lang =en> 
< head>< title> XSS test< / title>< / head> 
< body> 
< form>< input type =textname =xss>< input type =submit>< / form> 
< p>结果：<？= $ _GET ['xss']？>< / p> 
< / body> 
< / html> 
  

JSP示例：

 <！doctype html> 
< html lang =en> 
< head>< title> XSS test< / title>< / head> 
< body> 
< form>< input type =textname =xss>< input type =submit>< / form> 
< p>结果：$ {param.xss}< / p> 
< / body> 
< / html> 
  

或者，您可以重新显示输入元素中的值，这也经常出现：

 < input type =textname =xssvalue =<？= $ _GET ['xss']？> > b 
 
 
 
 $ b 
 code>< input type =textname =xssvalue =$ {param.xss}> 
  

这种奇怪的攻击字符串像/>< script> ; alert（'xss'）< / script>< br class =会起作用，因为服务器会将其渲染为

 < input type =textname =xssvalue =/>< script> alert（'xss'）< / script>< br class =  > 
  

XSS预防解决方案等等 htmlspecialchars（） 和 fn：escapeXml（） PHP和JSP分别。这些将取代< ，> 和 by & lt; ，& gt; 和& quot; code>，以便最终用户输入不会直接嵌入到HTML源代码中，而只会在输入时显示。

I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all.

What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)

Cheers.

解决方案

Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.

PHP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: <?= $_GET['xss'] ?></p>
    </body>
</html>

JSP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: ${param.xss}</p>
    </body>
</html>

Alternatively you can redisplay the value in the input elements, that's also often seen:

<input type="text" name="xss" value="<?= $_GET['xss'] ?>">

resp.

<input type="text" name="xss" value="${param.xss}">

This way "weird" attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as

<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">

XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by <, > and " so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.

这篇关于什么使得输入易受XSS影响？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！