1

I'm trying to test for vulnerabilities in my website. There is a textbox in which I enter the value as follows:

Dummy" /><script>document.alert('XSS Vulnerable');</script><input title="DummyAgain

so that the HTML formed after submitting the form would be

<input name="customerName" size="16" value="Dummy" /><script>document.alert('XSS Vulnerable');</script><input title="DummyAgain" type="text">

But even though, the HTML formed is correct, the javascript does not execute and inspecting the element in firefox/chrome shows the value of the textbox to be exactly the same as I entered!

What am I doing wrong?

4

3 回答 3

2

如果你运行这个:

document.alert('XSS Vulnerable');

...您收到此错误消息:

TypeError:document.alert 不是函数

发生这种情况是因为alert()window对象的方法,而不是document对象。

您也可以省略该对象,它将默认为window

alert('XSS Vulnerable');

更新:重现代码:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title></title>
</head>
<body>

<input name="customerName" size="16" value="Dummy" /><script>window.alert('XSS Vulnerable');</script><input title="DummyAgain" type="text">

</body>
</html>
于 2012-12-21T10:06:13.603 回答
1

为了使该代码能够导致 XSS 问题,"无法替换&quot;为您的示例输出中的代码。

于 2012-12-21T09:41:45.723 回答
0

好的,伙计们..我只是在检查 Firefox 和 Chrome 中的 Inspect 元素功能,假设这个和查看源是相同的......当我查看源时,我看到的值为Dummy&quot; /&gt;&lt;script&gt;alert(&#39;XSS Vulnerable&#39;);&lt;/script&gt;&lt;input type=&quot;text.

抱歉没查源就打扰各位了!谢谢@昆汀...

于 2012-12-21T10:46:02.397 回答