输入表单演示XSS
Input form to demonstrate XSS
我想使用输入表单在本地使用 HTML 和 JavaScript 演示 XSS。问题是通过 URL 传递参数并在 JavaScript 代码中获取它后,它不会执行。我知道它不会执行,因为我没有重新加载 DOM.
我该怎么做?
目前我的代码是这样的:
<!DOCTYPE html>
<html>
<head>
<title>XSS</title>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
</head>
<body>
<form method="GET" action="test.html">
<input type="text" name="search" id="search">
<input type="submit" value="Senden">
</form>
</body>
</html>
<!doctype html>
<html>
<head>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
</head>
<body>
<input type="text" name="search" id="search">
<a href="start.html">Start</a>
</body>
<script>
function getParameterByName(name) {
name = name.replace(/[\[]/, "\[").replace(/[\]]/, "\]");
var regex = new RegExp("[\?&]" + name + "=([^&#]*)"),
results = regex.exec(location.search);
return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
}
var x = getParameterByName('search');
$('input[type="text"]').val(x);
</script>
</html>
提前致谢。
为了演示 de XSS 漏洞,您需要评估来自 URL 的字符串,而不是将其设置为输入
尝试使用 <script>alert('test')</script>
进行测试
<!doctype html>
<html>
<head>
<script type="text/javascript" src="https://code.jquery.com/jquery-latest.min.js"></script>
</head>
<body>
<input type="text" name="search" id="search">
<a href="start.html">Start</a>
<script>
function getParameterByName(name) {
name = name.replace(/[\[]/, "\[").replace(/[\]]/, "\]");
var regex = new RegExp("[\?&]" + name + "=([^&#]*)"),
results = regex.exec(location.search);
return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
}
$(function(){
var x = getParameterByName('search');
$('input[type="text"]').after(x);//or eval(x);
});
</script>
</body>
</html>
我想使用输入表单在本地使用 HTML 和 JavaScript 演示 XSS。问题是通过 URL 传递参数并在 JavaScript 代码中获取它后,它不会执行。我知道它不会执行,因为我没有重新加载 DOM.
我该怎么做?
目前我的代码是这样的:
<!DOCTYPE html>
<html>
<head>
<title>XSS</title>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
</head>
<body>
<form method="GET" action="test.html">
<input type="text" name="search" id="search">
<input type="submit" value="Senden">
</form>
</body>
</html>
<!doctype html>
<html>
<head>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
</head>
<body>
<input type="text" name="search" id="search">
<a href="start.html">Start</a>
</body>
<script>
function getParameterByName(name) {
name = name.replace(/[\[]/, "\[").replace(/[\]]/, "\]");
var regex = new RegExp("[\?&]" + name + "=([^&#]*)"),
results = regex.exec(location.search);
return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
}
var x = getParameterByName('search');
$('input[type="text"]').val(x);
</script>
</html>
提前致谢。
为了演示 de XSS 漏洞,您需要评估来自 URL 的字符串,而不是将其设置为输入
尝试使用 <script>alert('test')</script>
<!doctype html>
<html>
<head>
<script type="text/javascript" src="https://code.jquery.com/jquery-latest.min.js"></script>
</head>
<body>
<input type="text" name="search" id="search">
<a href="start.html">Start</a>
<script>
function getParameterByName(name) {
name = name.replace(/[\[]/, "\[").replace(/[\]]/, "\]");
var regex = new RegExp("[\?&]" + name + "=([^&#]*)"),
results = regex.exec(location.search);
return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
}
$(function(){
var x = getParameterByName('search');
$('input[type="text"]').after(x);//or eval(x);
});
</script>
</body>
</html>