HTML 编码表单发布
一位用户向我发送了一些信息,他们发布到我的一个页面,其中存在潜在的 XSS 问题,但是,查看服务器端代码,我认为它不会顺利地运行我的代码。
他们说他们发送了这个:
forminfo=%27+%7C%7C+%27%27+%7C%7C+%27%25booleantest%3Atrue%2Ctrue%2Ctrue
我已经看过这个并发现 %27 是撇号,%7C 是管道字符,这可能有风险。
但是,如果数据以这种格式进入我的应用程序,它会崩溃,因为它对发布的信息进行字符串操作。它以冒号 (:) 字符分割字符串。 forminfo 是我的 HTML 输入元素之一的名称,
如果它进来,
forminfo=' || '' || '%booleantest:true,true,true
那么它会更清晰,我可以更好地看到它们发送的内容以及代码如何处理输入。
那么他们是说他们以加密方式发布数据吗?我的应用程序知道如何处理加密的发布数据并以某种方式解密它吗?
他们没有收到错误,但如果我自己运行代码就会出错。
你能解释一下可能发生了什么吗?
A user has sent me some information that they posted to one of my pages with potential XSS issues however, looking at the server side code I don't think it would ever run through my code smoothly.
They said they sent this:
forminfo=%27+%7C%7C+%27%27+%7C%7C+%27%25booleantest%3Atrue%2Ctrue%2Ctrue
I have looked at this and have worked out that %27 is a Apostrophy and %7C is a Pipe character which could be risky.
However if the data comes into my app in that format it will crash as it does string manipulation on the posted information. It does a string split on a colon (:) character. forminfo is the name of one of my HTML input elements
If it came in as
forminfo=' || '' || '%booleantest:true,true,true
then its more clear and I can see better what they sent and how the code would deal with the input.
Therfore are they saying that they posted data in an encrypted manner? Would my app know how to deal with the encrypted posted data and unencrypt it somehow?
They didn't get an error but if I run the code myself it errors.
Can you explain what might have happened?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
以下是 URLEncoded 数据:
如果您的应用程序存在以下问题:
那么您确实有一个问题,因为这就是你的乐于助人的用户试图告诉你的。
The following is URLEncoded data:
If your application would have issues with:
Then you indeed have a problem because that is what your helpful user is trying to tell you.
十六进制和 base64 编码的 JavaScript 可以在您的页面中解码和呈现 - 如果您的页面将表单数据(注入的 JavaScript)渲染回浏览器。
为了更好地保护您的网站,您可能需要查看XSS(跨站脚本)备忘单 或 跨站脚本 (XSS)
hex and base64 encoded JavaScript can be decoded and rendered within your page - if your page is rending the form data (the injected JavaScript) back to the browser.
To better protect your site, you might want to look into the XSS (Cross Site Scripting) Cheat Sheet or Cross-site Scripting (XSS)