示例 - 存在存储型XSS的guestbook.jsp代码:

    1. <%@ page contentType="text/html;charset=UTF-8" language="java" %>
    2. <%@ page import="java.text.SimpleDateFormat" %>
    3. <%@ page import="java.util.*" %>
    4. <%
    5.     String username = request.getParameter("username");
    6.     String content = request.getParameter("content");
    7.     String guestBookKey = "GUEST_BOOK";
    8.     List<Map<String, String>> comments = new ArrayList<Map<String, String>>();
    9.     if (content != null) {
    10.         Object obj = application.getAttribute(guestBookKey);
    11.         if (obj != null) {
    12.             comments = (List<Map<String, String>>) obj;
    13.         }
    14.         Map<String, String> comment = new HashMap<String, String>();
    15.         String              ip      = request.getHeader("x-real-ip");
    16.         if (ip == null) {
    17.             ip = request.getRemoteAddr();
    18.         }
    19.         comment.put("username", username);
    20.         comment.put("content", content);
    21.         comment.put("ip", ip);
    22.         comment.put("date", new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date()));
    23.         comments.add(comment);
    24.         application.setAttribute(guestBookKey, comments);
    25.     }
    26. %>
    27. <html>
    28. <head>
    29.     <title>留言板</title>
    30. </head>
    31. <style>
    32.     * {
    33.         margin: 0;
    34.         padding: 0;
    35.     }
    36. </style>
    37. <body>
    38. <div style="border: 1px solid #C6C6C6;">
    39.     <div style="text-align: center;">
    40.         <h2>在线留言板</h2>
    41.     </div>
    42.     <div>
    43.         <dl>
    44.             <%
    45.                 Object obj = application.getAttribute(guestBookKey);
    46.                 if (obj instanceof List) {
    47.                     comments = (List<Map<String, String>>) obj;
    48.                     for (Map<String, String> comment : comments) {
    49.             %>
    50.             <dd>
    51.                 <div style="min-height: 50px; margin: 20px; border-bottom: 1px solid #9F9F9F;">
    52.                     <p><B><%=comment.get("username")%>
    53.                     </B>[<%=comment.get("ip")%>] 于 <%=comment.get("date")%> 发表回复:</p>
    54.                     <p style="margin: 15px 0 5px 0; font-size: 12px;">
    55.                     <pre><%=comment.get("content")%></pre>
    56.                     </p>
    57.                 </div>
    58.             </dd>
    59.             <%
    60.                     }
    61.                 }
    62.             %>
    63.         </dl>
    64.     </div>
    65.     <div style="background-color: #fff; border: 1px solid #C6C6C6;">
    66.         <form action="#" method="POST" style="margin: 20px;">
    67.             昵称: <input type="text" name="username" style="width:250px; height: 28px;"/><br/><br/>
    68.             <textarea name="content" style="overflow: auto;width: 100%; height: 250px;"></textarea>
    69.             <input type="submit" value="提交留言" style="margin-top: 20px; width: 80px; height: 30px;"/>
    70.         </form>
    71.     </div>
    72. </div>
    73. </body>
    74. </html>

    访问:http://10.10.99.2:8000/modules/servlet/guestbook.jsp,并在留言内容出填入xss测试代码,如下:
    3. 2. 存储型XSS攻击 - 图1
    提交留言后页面会刷新,并执行留言的xss代码:
    3. 2. 存储型XSS攻击 - 图2