Menu
I've been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that's all.
What do I have to do for make it vulnerable?? (then I'll learn what I shouldn't do hehe)
Cheers.
754
Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.
PHP example:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: <?= $_GET['xss'] ?></p>
</body>
</html>
JSP example:
<!doctype html>
<html lang="en">
<head><title>XSS test</title></head>
<body>
<form><input type="text" name="xss"><input type="submit"></form>
<p>Result: ${param.xss}</p>
</body>
</html>
Alternatively you can redisplay the value in the input elements, that's also often seen:
<input type="text" name="xss" value="<?= $_GET['xss'] ?>">
resp.
<input type="text" name="xss" value="${param.xss}">
This way "weird" attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as
<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">
XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by <, > and " so that enduser input doesn't end up to be literally embedded in HTML source but instead just got displayed as it was entered.
151
Have the server output the input back to the client.
23
You should "inject" the script. So if you have a text-input, you should put in the form:
" /> <script>alert();</script>
This way you first close the attribute of the existing HTML and then inject your own code. The idea is to escape out the quotes.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
