javascript 跨站脚本注入
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15135678/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Cross Site Scripting injection
提问by IBK
I am testing a web application. I want to write an XSSscript that will display an alert "Hello".
我正在测试一个 Web 应用程序。我想编写一个XSS显示警报的脚本"Hello"。
The first script I wrote was:
我写的第一个脚本是:
<script >alert("Hello");</script >
But did not display the alert "Hello". I discovered that the XSSscript that works is
但没有显示警报"Hello"。我发现有效的XSS脚本是
<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >
I would like to know why the first script didn't work.
我想知道为什么第一个脚本不起作用。
回答by ThiefMaster
Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript.
When using String.fromCharCode(...)you don't have to use any quotation marks so it'll work. It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. So there's no need for any quoting.
最有可能的是,该站点用 HTML 实体替换双引号,或者试图以某种其他方式对它们进行转义,使它们不适合 JavaScript。使用时,String.fromCharCode(...)您不必使用任何引号,因此它会起作用。它获取字符串字符的 ASCII 代码列表,并在运行时从中创建一个字符串。所以不需要任何引用。
The proper way to avoid this kind of XSS is to replace <with <- that way a script tag cannot be created at all.
避免这种 XSS 的正确方法是替换<为<- 这样根本无法创建脚本标签。
Note that >, "and &should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only <is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where "needs to be sanitized)
请注意,在清理包含 HTML 的数据时>,"和&也应替换为各自的 HTML 实体!但是,<假设没有不受信任的数据可以在 HTML 属性中使用(这是"需要清理的地方),则绝对需要击败 XSS 攻击
