什么使得输入易受XSS影响? [英] What makes an input vulnerable to XSS?
问题描述
我一直在阅读关于XSS的内容,并且用一个文本和提交输入做了一个简单的表单,但是当我执行< script> alert();< / script>
就可以了,没有任何反应,服务器获取该字符串,就这些了。
我必须做些什么才能让它变得脆弱? (然后我会学习我不应该做的嘿嘿)
干杯。
事实上,只要让服务器输出它就可以将输入字符串有效地嵌入到HTML源代码中,然后返回给客户端。
PHP示例: / p> <!doctype html>
< html lang =en>
< head>< title> XSS test< / title>< / head>
< body>
< form>< input type =textname =xss>< input type =submit>< / form>
< p>结果:<?= $ _GET ['xss']?>< / p>
< / body>
< / html>
JSP示例:
<!doctype html>
< html lang =en>
< head>< title> XSS test< / title>< / head>
< body>
< form>< input type =textname =xss>< input type =submit>< / form>
< p>结果:$ {param.xss}< / p>
< / body>
< / html>
或者,您可以重新显示输入元素中的值,这也经常出现:
< input type =textname =xssvalue =<?= $ _GET ['xss']?> > b
$ b code>< input type =textname =xssvalue =$ {param.xss}>
这种奇怪的攻击字符串像/>< script> ; alert('xss')< / script>< br class =
会起作用,因为服务器会将其渲染为
< input type =textname =xssvalue =/>< script> alert('xss')< / script>< br class = >
XSS预防解决方案等等 htmlspecialchars()
和 fn:escapeXml()
PHP和JSP分别。这些将取代<
,>
和 by
& lt;
,& gt;
和& quot; code>,以便最终用户输入不会直接嵌入到HTML源代码中,而只会在输入时显示。
I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script>
on it, nothing happens, the server gets that string and that's all.
What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)
Cheers.
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.
PHP example:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: <?= $_GET['xss'] ?></p>
</body>
</html>
JSP example:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: ${param.xss}</p>
</body>
</html>
Alternatively you can redisplay the value in the input elements, that's also often seen:
<input type="text" name="xss" value="<?= $_GET['xss'] ?>">
resp.
<input type="text" name="xss" value="${param.xss}">
This way "weird" attack strings like "/><script>alert('xss')</script><br class="
will work because the server will render it after all as
<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">
XSS-prevention solutions are among others htmlspecialchars()
and fn:escapeXml()
for PHP and JSP respectively. Those will replace among others <
, >
and "
by <
, >
and "
so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.
这篇关于什么使得输入易受XSS影响?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!