The typical action of XSS Worm is to simulate the submission process of normal forms. I think it is necessary for me to revise my previous articles (put them on hold for now ). The most common form submission process is the XHR object. Generally, the POST type is used for submission (GET type is very simple and you don't need to mention it here ). That is, I want to use the following function:
Function _ 3or7 (_ m, _ s, _ ){
_ X. open (_ m, _ s, false );
If (_ m = "POST") _ x. setRequestHeader ("Content-Type", "multipart/form-data; boundary = ----------------- 7964f8dddeb95fc5 ");
_ X. send (_ );
Return _ x. responseText;
}
Or I want to use the following function:
Function postdata (_ s, _ ){
_ X. open ("POST", _ s, false );
_ X. setRequestHeader (Content-Type, application/x-www-form-urlencoded );
_ X. send (_ );
Return _ x. responseText;
}
Note: _ x is an XHR object.
[PSTZine 0x02] [0x07] a section in [XSS attack detection] addresses some of my doubts:
The key is that an attribute of the from form may cause a stumbling block to third-party XSS products. Generally, XSS attackers will never consider this issue. The two form attributes are:
Multipart/form-data and application/x-www-form-urlencoded.
Because the XSS Worm I wrote does not take the form attributes into account. Cause of failure ...... Another point I have to mention is my previous article "XSS Worms submit dynamic JS form". It seems that it is not as simple as I think, and I have encountered some problems. I will publish a special article on the revision of previous articles.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
