发表新帖
发表新帖

Execute JavaScript for XSS without script tags

后端 未结
关注
3 1811
时光取名叫无心
时光取名叫无心 2021-02-08 22:17

I am learning about XSS (for ethical purposes), and I was wondering how to execute some JavaScript code without using

相关标签:
3条回答
  • 别那么骄傲
    2021-02-08 22:22

    You can use the onclick attribute that is presented in HTML elements so you can create something like this:

    "The search term" <p> <a href="" onclick="alert('I excuted JavaScript!');">Click me to see the JavaScript work!</a> </p> "returned no results"

    Now when clicking on the element the JavaScript will be executed.

    0 讨论(0)
  • 别跟我提以往
    2021-02-08 22:27
    1. Try putting in different types of strings with special characters and look if any of these get encoded or outputed. (I personaly use '';!--"<XSS>=&{()})
    2. Now you have three options:
      1. Inside a HTML Tag: The <> won't matter, because you are already inside a HTML Tag. You can look if this Tag supports Events and use some kind of onload=alert(1) or other event. If <> is allowed, you can break out and create your own tag '><img src=0 onerror=alert(1)>
      2. Outside of HTML Tag: the <> are important. With these you can open a new Tag and the whole world is below your feet (or so...)
      3. Inside Javascript: Well...if you can break out of a string with '", then you can basically write ';alert(1)
    3. Craft your XSS accordingly to your encoded characters and the surrounding of where the string get's outputed

    <XSS> disappears entirely: the application uses some kind of strip_tags . If you are outside of a HTML Tag and no HTML Tags are whitelisted, I unfortunatly don't know any method to achieve an XSS.

    Crafting your own payload

    There are various methods to achieve this and too much to name them all. Look on these two sites, which have a lot of the methods and concept to construct your own. It comes down to: What the page allows to go through.

    1. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_Locator_.28short.29
    2. https://html5sec.org/
    0 讨论(0)
  • 甜味超标
    2021-02-08 22:33

    Another one was mentioned at: https://stackoverflow.com/a/53430230/895245

    <a href="javascript:alert(1)">asdf</a>

    Works on Chromium 81.

    More important perhaps is the question of how to sanitize against it, see e.g.:

    • How to prevent XSS with HTML/PHP?
    • How to sanitize HTML code in Java to prevent XSS attacks?
    • Is using jquery parseHTML to remove script tags enough to prevent XSS attacks?
    0 讨论(0)
 看不清?
提交回复
热议问题