Menu
I want to create a XSS vulnerable web page which execute script entered in input box. Here I have written this code but whenever I enter script nothing happens.
<html>
<head>
</head>
<body>
<script type="text/javascript">
function changeThis(){
var formInput = document.getElementById('theInput').value;
document.getElementById('newText').innerHTML = formInput;
localStorage.setItem("name","Hello world!!!");
}
</script>
<p>You wrote: <span id='newText'></span> </p>
<input type='text' id='theInput' value='Write here' />
<input type='button' onclick='changeThis()' value='See what you wrote'/>
</body>
</html>
Please help. How should I modify the code?
Update: I was trying to do reflected XSS. According to me if I enter a script in input It should execute. This will happen only when I am not checking that user has entered a valid input or not and taking actions not to execute script.
Here is a web page www.insecurelabs.org/task/Rule1 which is XSS vulnerable when ever I type a script like: <script> alert("hell"); </script> in input field script executes.
I want to know what is the main difference between that and what I am doing?
793
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This user input must then be parsed by the victim's browser. XSS attacks are possible in VBScript, ActiveX, Flash, and even CSS.
To carry out a cross site scripting attack, an attacker injects a malicious script into user-provided input. Attackers can also carry out an attack by modifying a request. If the web app is vulnerable to XSS attacks, the user-supplied input executes as code.
XSS enables an attacker to execute malicious scripts in another user's browser. However, instead of attacking the victim directly, the attacker exploits a vulnerability in a website the victim visits and gets the website to deliver the malicious script.
Cross-site scripting (XSS) is a security exploit which allows an attacker to inject into a website malicious client-side code. This code is executed by the victims and lets the attackers bypass access controls and impersonate users.
If you use innerHTML to inject a script tag... the script won't run!
What you could do instead is inject an image with an onload event handler:
<img src="someImage.gif" onload="alert('hacked!')" />
[Update] About your last question: the main difference is that you are using innerHTML, while the insecurelabs page is using jQuery.html(). The jQuery approach will run the script.
Live demo: http://jsfiddle.net/wqqWt/
174
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
