Google
AspAlliance.com Web
AspAlliance
Register
Edit My Profile
Author List
Write for Us
About AspAlliance
Contact Us
Privacy Policy
Link To Us
Advertise

Subscribe
Free Newsletter
Newsletter Archive
RSS Syndication

.NET Tutorials
Learn .NET
Learn WCF
Learn WPF
Learn ASP.NET
Learn AJAX
Learn Silverlight
Learn Visual Studio
Learn ADO.NET
Learn LINQ
Learn C# (CSharp)
Learn VB.NET
Learn Web Services
Learn Controls
Learn BizTalk
Learn SharePoint
Learn Mobile
Learn SQL
Learn SQL Reporting
Learn Windows Forms
Learn XML
Learn Crystal Reports
Learn FarPoint
Learn DevExpress
Examples
ASP.NET 2.0 Examples

ASP Tutorials
Learn ASP
Learn VBScript
Learn JScript
Learn SQL
Learn XML

Software Resources
Shopping Cart Ecommerce
Charts and Dashboards

Other Resources
Learn Java
Learn Oracle
Opinion / Editorial
Crystal Reports Alliance
WPF Resources
AJAX Resources
Silverlight Resources

Free Tools
Cache Manager
SimpleCMS

Reviews
Book Reviews
Product Reviews
Expert Advice

Books
ASP.NET Developer's Cookbook
Sample Chapters
Book Reviews

Community
Regular Expressions

Print This Article Print  Add To Favorites Add To Favorites    Email This Article To A Friend Email To Friend  Rate This Article Rate This Article   
SQL Injection and Cross-Site Scripting
page 7 of 9
by Bryian Tan
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 46871/ 67
Cross-Site Scripting

Cross-Site Scripting enables malicious attackers to inject client-side script or HTML markup into web pages viewed by other users. This can happen through the input form.  Update the comment with the string "<script src="http://localhost:9997/badhost/maliciousscript.js"></script>". You should see a pop-up message when you navigate to http://localhost:1234/Sample/ListComments.aspx page.

Figure 18

Quick Test

Update the form value with any of the string listed below and observe the outcome. Make sure the string is in one line and no line break. If the JavaScript executes successfully by the browser or displays unexpected result then the web page is subjected to Cross-Site scripting.

<BODY ONLOAD=''javascript:window.location="http://www.google.com"''>
 
<BODY ONLOAD="javascript:alert(''XSS'')">
 
<p onmouseover=javascript:window.location="http://www. google.com";>test
 
<p onmousemove=javascript:window.location="http://www. google.com";>test
 
<p onMouseDown=javascript:window.location="http://www.google.com";>test
 
<span onmouseover=javascript:window.location="http://www. google.com";>test</span>
 
<span onmousemove=javascript:window.location="http://www.google.com";>test</span>
 
<h2 onmouseover=javascript:window.location="http://www.google.com";>test
 
<div onmouseover=javascript:window.location="http://1208929383";>test
 
<meta http-equiv="refresh" content="1; URL=http://1208929383">   
 
<b onmouseover=javascript:window.location="http://www.google.com";                       
>test
 
<img onmouseover=javascript:window.location="http://www.google.com";>
 
<img src=http://www.google.com/images/srpr/nav_logo14.png width="1" height="1" 
onLoad=javascript:window.location="http://www.google.com";>
 
<div  style="width:100%" 
onresize=javascript:window.location="http://www.google.com";>test</div> 
(Resize the browser to see the behavior)
 
<tt style="width:100%" 
onmousemove=javascript:window.location="http://www.google.com";>test
 
<PLAINTEXT> test
 
<object> test
 
<applet> test
 
<textarea> test
 
<title> test
 
<table> test
 
<style> test
 
<noscript> test
View Entire Article

User Comments

Title: NIKE NFL jerseys   
Name: NIKE NFL jerseys
Date: 2012-07-02 10:09:59 AM
Comment:
http://www.jersey2shop.com
http://www.cheapjersey2store.com
http://www.jerseycaptain.com
http://www.yourjerseyhome.com
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes
Cheap NFL,NBA,MLB,NHL
,heap jerseys,2012 nike nfl Jerseys,nba jersey and shorts,oklahoma city thunder jersey,official jeremy lin new york knicks jersey,NFL Jerseys Wholesale,blake griffin jersey blue,NFL jerseys For Sale online.All Our Jerseys Are Sewn On and Directly From Chinese Jerseys Factory
,Wholesale cheap jerseys,Cheap mlb jerseys,]Nike NFL Jerseys,Cheap China Wholesae,Wholesale jerseys From China,2012 nike nfl Jerseys,Jerseys From China,,2012 nike nfl Jerseys,Revolution 30 nba jerseys,jersey of nba chicago bulls direk rose ,nfl jerseys,green bay packers jerseys wholesale,Buffalo Bills nike nfl jerseys sale,good supplier soccer jerseys,cool base mlb jerseys,Revolution 30 nba jerseys,2012 stanley cup nhl jersey,
We are professional jerseys manufacturer from china,wholesal.cheap nike nfl jerseys, mlb jerseys, nhl jerseys,nba jerseys and shoes. www.yourjerseyhome.com
Title: SQL Injection and Cross-Site Scripting   
Name: DINESH
Date: 2011-01-18 6:25:25 AM
Comment:
The best SQL Server Site Scripting
Title: avrail   
Name: Refat Eid
Date: 2010-09-19 3:02:00 AM
Comment:
where can i found the TestDBSetup.sql ?
Title: Really Good   
Name: Ankit Shivankar
Date: 2010-09-15 1:04:32 AM
Comment:
its really good.....and easy to understand

dear Bryian ...
M facing some problem in my personal project can u help me..
if u can then plz contact me on mail id that is shiva.ankit@gmail.com
Title: Download Link   
Name: Bryian Tan
Date: 2010-09-14 8:21:24 PM
Comment:
Hello,

Sorry, I think I forgot to include the download link. Anyway, please download the sample code from here http://download.ysatech.com/SQL-Injection-and-Cross-Site-Scripting/Sample_SQLInjection_XSS.zip
Title: Gustavo   
Name: Fernandez
Date: 2010-09-14 3:19:45 PM
Comment:
Where is the link to download the code sample (TestDBSetup.sql)?
Title: Senior programmer/analyst   
Name: Greg Hilsheimer
Date: 2010-09-14 2:16:39 PM
Comment:
where is link to download code






Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-04-17 9:59:47 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search