Cross site

Question

Cross site

I am testing a web application. I want to write a XSSscript that displays a warning "Hello".

The first script I wrote was:

<script >alert("Hello");</script >

But the warning did not appear "Hello". I found that the XSSscript is working

<SCRIPT >alert(String.fromCharCode(72,101,108,108,111,33))</SCRIPT >

I would like to know why the first script did not work.

+6

javascript xss

IBK Feb 28 '13 at 12:34

source share

1 answer

ThiefMaster · Accepted Answer · 2013-02-28T12:36:16+0000

Most likely, this site replaces double quotes with HTML objects or tries to avoid them in some other way, which makes them unsuitable for JavaScript. When using, String.fromCharCode(...)you do not need to use quotation marks to make it work. It gets a list of ASCII codes for string characters and creates a string from them at runtime. Therefore, there is no need for quoting.

XSS - < < - , script .

, >, " & HTML , HTML! XSS <, , HTML ( , " )

Cross site

More articles: