gpt4 book ai didi

javascript - 如何在脚本标签内使用 html 编码的 xss 攻击向量触发 xss?

转载 作者:行者123 更新时间:2023-12-04 09:19:15 25 4
gpt4 key购买 nike

我正在阅读 OWASP XSS 预防备忘单,并陷入了一些理解:

Why Can't I Just HTML Entity Encode Untrusted Data


HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a <div> tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the encode syntax for the part of the HTML document you're putting untrusted data into. That's what the rules below are all about.


我无法创建有效的 POC,html 编码的 xss 攻击向量如何在 <script> 中触发 xss标签
帮助我理解这一点。

最佳答案

HTML编码是指替换<&lt; , >&gt; , 和 &&amp; (在其他替代品中)。该段落的意思是,这确实会阻止普通标签内的 XSS,例如,如果您尝试注入(inject) <script>alert(1)</script>变成 p标签,你会得到:

<p>&gt;script&lt;alert(1)&gt;/script&lt;</p>
这没有任何作用。但是,如果 XSS 向量进入 脚本 标记而不是 p 标记,那么您只需输入 alert(1)结果是:
<script>alert(1)</script>
这会导致 XSS。

关于javascript - 如何在脚本标签内使用 html 编码的 xss 攻击向量触发 xss?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63122679/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com