2016-02-03 XSS Vulnerability

An XSS vulnerability has occurred on the application. is caused by an XSS vulnerability in one of the fields returned by the Ajax interface of a GET request. The field was meant to be shown, but the patch was stripped of the display, and the interface was returned. Now that we have an XSS vulnerability, some of my colleagues are not quite sure why this field I'm returning does not show, and it can cause an XSS bug?

In fact, I understand his meaning, the returned field is not used, it is not put into the page (not with the label in the page caused an XSS vulnerability), and did not execute (really did not do it?). ), why does it appear?

I understood at the time that although it was not put into the page, the browser would still do some processing of the interface's return data. Further check the information, if Content-type is text/html, then the return data is definitely to be executed, for JSONP, if Content-type is Application/javascript browser will not go to execute. So my guess might be right, which means the browser will do some processing on the data, depending on content-type, or some other field. I looked at the HTTP request field for our interface, Content-type is the Application/json type.

Here, there is not enough knowledge about the type of XSS. There is not enough insight into Ajax requests. I'd like to take a look at this recently and record my thoughts here.

　　

PostScript: Before always thinking, why do you share it, why do you take notes, what is good to share? Everybody read a material not all understand?

Today, we understand that the degree of understanding is different for the same problem. And a problem to be thoroughly understood, requires in-depth learning and practice, this is not everyone will do.

So you need to share and take notes.

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　

2016, come on!

　　

2016-02-03 XSS Vulnerability