问题
I want to create a XSS vulnerable web page which execute script entered in input box. Here I have written this code but whenever I enter script nothing happens.
<html>
<head>
</head>
<body>
<script type="text/javascript">
function changeThis(){
var formInput = document.getElementById('theInput').value;
document.getElementById('newText').innerHTML = formInput;
localStorage.setItem("name","Hello world!!!");
}
</script>
<p>You wrote: <span id='newText'></span> </p>
<input type='text' id='theInput' value='Write here' />
<input type='button' onclick='changeThis()' value='See what you wrote'/>
</body>
</html>
Please help. How should I modify the code?
Update: I was trying to do reflected XSS. According to me if I enter a script in input It should execute. This will happen only when I am not checking that user has entered a valid input or not and taking actions not to execute script.
Here is a web page www.insecurelabs.org/task/Rule1 which is XSS vulnerable when ever I type a script like: <script> alert("hell"); </script> in input field script executes.
I want to know what is the main difference between that and what I am doing?
回答1:
If you use innerHTML to inject a script tag... the script won't run!
What you could do instead is inject an image with an onload event handler:
<img src="someImage.gif" onload="alert('hacked!')" />
[Update] About your last question: the main difference is that you are using innerHTML, while the insecurelabs page is using jQuery.html(). The jQuery approach will run the script.
Live demo: http://jsfiddle.net/wqqWt/
回答2:
Just eval the code:
function changeThis(){
var formInput = document.getElementById('theInput').value;
eval(formInput);
}
来源:https://stackoverflow.com/questions/15841964/creation-of-xss-vulnerable-web-page