Jus*_*les 4 html javascript asp.net xss
I have a textbox where I want to allow users the ability to type in potentially dangerous characters such as < and > (this is a mathematical expression data entry field which required me to disable ASP.NET validation on the textbox). The data is stored in a database and retrieved later for display on the page. When I display the data in the textbox, I am setting it like this:
textboxA.Text = expression; where expression comes from the database with the potentially dangerous characters.
Anyway, I tried purposely inserting something like < script>alert('hi') < /script> but I can't get this script to execute when the Text property is set (translates to value attribute in client-side HTML. The result looks like:
< input type="text" value="<script>alert('hi')< /script>">>< /input>
So what gives, is the value attribute safe from injections?
注意:示例中每个标记之前的空格仅适用于StackOverflow,因为它会从问题中删除标记.
要将此代码正确插入您的网站,您必须了解代码的工作方式.我不确定ASP.net如何声明输入字段,但只要它不自动编码特殊字符,那么我的提示应该让你插入代码.
例如,这就是输入代码的样子(这是HTML网站的输入字段),<?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>它是将代码插入HTML页面的代码的一部分(假设您将值保存到会话中并重新显示值文本框)
如果您使用URL将参数传递回表单:
http://www.website.com/index.php?username="><script>alert('hi')</script>
从
<input type="text" name="username"
value="<?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>">
然后,您要注入的代码必须如下所示:
"><script>alert('hi')</script>
请注意">此代码的开头部分.基本上它的作用是value=""通过使用"标签来结束,然后关闭输入字段>.
所以实际结果是:
<input type="text" name="username" value=""><script>alert('hi')</script>
从那里,您将能够插入JavaScript等代码.
| 归档时间: |
|
| 查看次数: |
10629 次 |
| 最近记录: |