示例 - dom.jsp代码:
<%@ page contentType="text/html;charset=UTF-8" language="java" %>Date: <span style="color: red;"></span><input type="hidden" value="<%=request.getParameter("date")%>" /><script>var date = document.getElementsByTagName("input")[0].value;document.getElementsByTagName("span")[0].innerHTML = date;</script>
正常请求测试:http://localhost:8000/modules/servlet/dom.jsp?date=2020-11-15%2015:57:22
XSS攻击测试:http://localhost:8000/modules/servlet/dom.jsp?date=%3Cimg%20src=1%20onerror=alert(/xss/)%20/%3E%20/%3E)
若有收获,就点个赞吧
0 人点赞
