What makes an input vulnerable to XSS?

2020-02-01 02:06发布

站内问答 / JavaScript
1995 5 5

I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all.

What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)

Cheers.

5条回答
forever°为你锁心
2楼-- · 2020-02-01 02:33

Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.

PHP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: <?= $_GET['xss'] ?></p>
    </body>
</html>

JSP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: ${param.xss}</p>
    </body>
</html>

Alternatively you can redisplay the value in the input elements, that's also often seen:

<input type="text" name="xss" value="<?= $_GET['xss'] ?>">

resp.

<input type="text" name="xss" value="${param.xss}">

This way "weird" attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as 

<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">

XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by &lt;, &gt; and &quot; so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.

查看更多
0人赞 添加讨论(0) 举报
戒情不戒烟
3楼-- · 2020-02-01 02:36

Have the server output the input back to the client.

查看更多
0人赞 添加讨论(0) 举报
爷、活的狠高调
4楼-- · 2020-02-01 02:47

Google made a really awesome tutorial that covers XSS and other security vulnerabilities here. It can help you understand how these issues are exploited in real applications.

查看更多
0人赞 添加讨论(0) 举报
放荡不羁爱自由
5楼-- · 2020-02-01 02:49

You should "inject" the script. So if you have a text-input, you should put in the form:

" /> <script>alert();</script>

This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.

查看更多
0人赞 添加讨论(0) 举报
Explosion°爆炸
6楼-- · 2020-02-01 02:53

Three simple things:

  1. If you're not outputting untrusted data to the page at some point there is no opportunity for XSS
  2. All your untusted data (forms, querystrings, headers, etc) should be validated against a whitelist to ensure it's within an acceptable range
  3. All your output to the screen should be endcoded with an appropriate library (ie Anti-XSS for .NET) onto the appropriate language (HTML, CSS, JS, etc).

More info with examples in OWASP Top 10 for .NET developers part 2: Cross-Site Scripting (XSS).

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)