发表新帖
发表新帖

XSS attacks and style attributes

后端 未结
关注
4 1369
借酒劲吻你
借酒劲吻你 2020-12-03 00:53

There are known Style Attribute XSS attacks like:

Or
4条回答
  • 余生分开走
    余生分开走 (楼主)
    2020-12-03 01:43

    Yes, you can use XSS attacks with Style attributes .

    These styles were injected as we didn't have them declared in our tags in a particular jsp page but got through when audited by our security group:

    I'm thinking of using an HTTP filter to stop it here, but I'm still looking into it.

    We also didn't have our hidden input fields proteccted either and this got through as well:

    With a tool like Burpsuite, you can modify requests on the fly to inject XSS into tags like this. However, with the ESAPI API's from OWASP, you can add protection. We weren't using JSTL tags as it was old legacy code, so that was the best short term solution.

    For the hidden input I used;

    You can also use XSS with the js onload event in an img tag:

    0 讨论(0)
 看不清?
提交回复
热议问题