当前位置:网站首页>PHP reflective XSS, reflective XSS test and repair
PHP reflective XSS, reflective XSS test and repair
2022-07-01 21:57:00 【Full stack programmer webmaster】
Hello everyone , I meet you again , I'm your friend, Quan Jun .
reflective XSS General location , Such as GET Parameters in
test Search function
F12 View source code , Look for... That appears 1111 The location of
The first position is title It's about
Try closing title label , Then test JS Code , Successful pop-up
View source code ,XSS perform
The second position is in the search box , here XSS Unable to execute , Because located value Within the properties , It needs to be closed
Be careful to close the extra double quotation marks when testing ”
And then to XSS Bug source code repair
First of all XSS stay title Location , Search parameters entered ks direct echo Output , There is no escape and other operations
<?php echo input(‘ks’);?>|{
Add filter code strip_tags() operation
The test found that
The second place XSS In the search box , be located index_menu.html in
The same vulnerability , For the input ks There is no filtering operation directly echo Output
Add filter function strip_tags()
<?php echo strip_tags(input(‘ks’));?>
The test found that
However, this repair is not perfect , Bypass exists , take value After the value is closed , Adding an event attribute can still be effective XSS
The best way to filter is to use htmlsepcial Function to filter
<?php echo htmlspecialchars(input(‘ks’));?>
The test again , Double quotation marks are escaped into ”
Unable to trigger XSS, The repair was successful .
Publisher : Full stack programmer stack length , Reprint please indicate the source :https://javaforall.cn/130466.html Link to the original text :https://javaforall.cn
边栏推荐
- 杰理之蓝牙耳机品控和生产技巧【篇】
- 想请教一下,券商选哪个比较好尼?本人小白不懂,现在网上开户安全么?
- 基于K-means的用户画像聚类模型
- 上半年暂停考试要补考?包含监理工程师、建筑师等十项考试
- MySQL数据库驱动(JDBC Driver)jar包下载
- 浏览器tab页之间的通信
- Tops, the unit of computing power of the processor, can be carried out 1 trillion times per second
- MySQL series transaction log redo log learning notes
- 杰理之、产线装配环节【篇】
- 基于LSTM模型实现新闻分类
猜你喜欢
随机推荐
Yan Rong looks at how to formulate a multi cloud strategy in the era of hybrid cloud
朋友圈社区程序源码分享
Pytest collection (2) - pytest operation mode
Talking from mlperf: how to lead the next wave of AI accelerator
php反射型xss,反射型XSS测试及修复
PWN攻防世界cgpwn2
基础—io密集型计算和cpu密集型计算
PMP与NPDP之间的区别是什么?
工控设备安全加密的意义和措施
杰理之、产线装配环节【篇】
Case of camera opening by tour
AirServer2022最新版功能介绍及下载
leetcode刷题:栈与队列01(用栈实现队列)
能升职加薪?PMP证书含金量浅析
GCC编译
Go — 相关依赖对应的exe
杰理之烧录上层版物料需要【篇】
【商业终端仿真解决方案】上海道宁为您带来Georgia介绍、试用、教程
UVM教程
Electron学习(三)之简单交互操作