Menu
I am testing a web application. I want to write an XSS script that will display an alert "Hello".
The first script I wrote was:
<script >alert("Hello");</script >
But did not display the alert "Hello". I discovered that the XSS script that works is
<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >
I would like to know why the first script didn't work.
325
Most likely that site replaces double quotes with HTML entities or tries to escape them in some other way that makes them unsuitable for JavaScript.
When using String.fromCharCode(...) you don't have to use any quotation marks so it'll work. It gets a list of the ASCII codes of the string's characters and creates a string out of them during runtime. So there's no need for any quoting.
The proper way to avoid this kind of XSS is to replace < with < - that way a script tag cannot be created at all.
Note that >, " and & should also be replaced with their respective HTML entities when sanitizing data containing HTML! However, only < is absolutely required to defeat XSS attacks assuming no untrusted data can be used in HTML attributes (that's where " needs to be sanitized)
54
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
