xss

XSS触发语句小结

▼魔方 西西 提交于 2020-01-01 22:45:34
一、标准语句 <script>alert(/XSS/)</script> 二、尝试大小写 <sCript>alert(1)</scRipt> 三、使用<img>标签 1、windows事件 <img src="x" onerror=alert(1)> <img src="1" onerror=eval("alert('xss')")> //图片加载错误时触发 2、鼠标事件 <img src=1 onmouseover="alert(1)"> //鼠标指针移动到元素时触发 <img src=1 onmouseout="alert(1)"> //鼠标指针移出时触发 四、使用<a>标签 1、使用href属性 <a href="https://www.qq.com">qq</a> <a href=javascript:alert('xss')>test</a> <a href="javascript:a" onmouseover="alert(/xss/)">aa</a> <a href="" onclick=alert('xss')>a</a> <a href="" onclick=eval(alert('xss'))>aa</a> <a href=kycg.asp?ttt=1000 onmouseover=prompt('xss') y=2016>aa</a> 五、使用<input

Flask jsonify: how to escape characters

﹥>﹥吖頭↗ 提交于 2020-01-01 19:18:47
问题 I have just started working with the Flask web framework. I am currently writing an endpoint that returns bits of JSON that may very well contain malicious javascript. For example: @api.route("/tester") def api_jobs_tester(): return jsonify({ "name": "<script>alert(1)</script>" }) In this example, this returns: { "name": "<script>alert(1)</script>" } Ideally, however, I would like this to return: { "name": "<script>alert(1)</script>" } Of course, this is straightfoward to do on a per-value,

In ASP.NET 4.5, how should I encode a string to be used as a JavaScript variable, to prevent XSS attacks

假如想象 提交于 2020-01-01 14:26:37
问题 I know of several ways to do this, but they all have some downside. Is there an "accepted" way of doing it, that is considered the best? I used to use the Microsoft.Security.Application.AntiXss.JavaScriptEncode() which is great, but AntiXSS has been end-of-lifed because the encoder is now included in .NET as of 4.5. However, for some reason, System.Web.Security.AntiXss.AntiXssEncoder doesn't include the JavaScriptEncode method. There's System.Web.HttpUtility.JavaScriptStringEncode() , but it

OWASP ZAP reported “alert(1);” XSS vulnerability, but no popup showed up

人盡茶涼 提交于 2020-01-01 07:24:09
问题 OWASP ZAP reported “alert(1);” XSS vulnerability, but we could not get pop up in browser. Is this just a false positive? The HTML surrounding the injected attack is: <script type="text/javascript"> DataSet.FilterBuilder.QueryValuesDictionary['57_ctl00'] = ;alert(1);; </script> 来源: https://stackoverflow.com/questions/29223275/owasp-zap-reported-alert1-xss-vulnerability-but-no-popup-showed-up

XSS Me Warnings - real XSS issues?

邮差的信 提交于 2020-01-01 07:14:38
问题 I've been using the free Firefox extension XSS Me from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious? Using the code below as a testcase: <form method="post" action=""> <input type="text" name="param" value="<?php echo htmlentities($_POST['param'])?>"> <input type="submit"> </form> <?php echo htmlentities($_POST['param'])?> I run some nasties by hand but none of them are

Escaping html in Java

时光总嘲笑我的痴心妄想 提交于 2020-01-01 04:17:12
问题 How do I make sure I don't escape something twice? I've heard that its good practice to escape values as you receive them from a form, and also escape when you output. That way you have two chances to catch something. 回答1: I presume that you're using JSP. Just escape during display only. There for the JSTL <c:out> tag is perfectly suitable. It escapes HTML entities by default. Use it to display every user-controlled input, such as request URL, request headers and request parameters. E.g.

Align the WMD editor's preview HTML with server-side HTML validation (e.g. no embedded JavaScript code)

泄露秘密 提交于 2020-01-01 03:27:10
问题 There are many Stack Overflow questions (e.g. Whitelisting, preventing XSS with WMD control in C# and WMD Markdown and server-side ) about how to do server-side scrubbing of Markdown produced by the WMD editor to ensure the HTML generated doesn't contain malicious script, like this: <img onload="alert('haha');" src="http://www.google.com/intl/en_ALL/images/srpr/logo1w.png" /> But I didn't find a good way to plug the hole on the client side too. Client validation isn't a replacement for

Securing Single-page-application from CSRF and XSS using CSP + localStorage

馋奶兔 提交于 2020-01-01 00:40:39
问题 I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF attacks. Explanation: It has been suggested many places, for example here to use cookies on top of localStorage while storing the auth-token. A very nice explanation is also provided in answer of another question here. Based on these answers, for secured contents, it is suggested to use cookies with ‘httpOnly’ and ‘secure’ options to avoid XSS; and

防XSS注入方法

雨燕双飞 提交于 2020-01-01 00:36:57
X-XSS-Protection头 HTTP X-XSS-Protection响应标头是 Internet Explorer, Chrome 和 Safari 的一项功能,可在检测到反射的跨站点脚本(XSS)攻击时阻止页面加载。 X-XSS-Protection: 0 X-XSS-Protection: 1 X-XSS-Protection: 1; mode=block 0:关闭浏览器的XSS防护 1:删除检测到的恶意代码, 如果响应报文中没有看到X-XSS-Protection 字段,那么浏览器就认为X-XSS-Protection配置为1。默认设置 1; mode=block:当检测到反射的XSS攻击时阻止加载页面 PHP用法: header("X-XSS-Protection: 1; mode=block"); Apache (.htaccess) <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule> ASP.net Response.AppendHeader(X-XSS-Protection",1") htmlspecialchars()函数 htmlspecialchars() 函数把预定义的字符转换为 HTML 实体。 & (和号)转换 & " (双引号)转换 "

Config your IIS server to use the “Content-Security-Policy” header

六眼飞鱼酱① 提交于 2019-12-31 20:39:08
问题 I need to add custom headers in IIS for "Content-Security-Policy", "X-Content-Type-Options" and "X-XSS-Protection". I get the procedure to add these headers but i am not sure what should be the value of these keys. https://technet.microsoft.com/pl-pl/library/cc753133(v=ws.10).aspx http://content-security-policy.com/ Please suggest. Thanks 回答1: From this post, it would seem that you define your Content Security Policy (and, in turn, populate those headers) directly in your IIS configuration
订阅 xss