Construction and experiment of cross-site scripting attack environment in ASP.

An introduction to XSS that omits 10,000 words ........ .....

Storage-type XSS:

The first, an attack passed through a parameter:

If you have a page to output parameters directly into the Div , the code is as follows

protected void Page_Load (object  sender, EventArgs e) {   string paramstr = request.querystring["  P"]!=null ?                         request.querystring["P""";             = paramstr;}

The front code is as follows:

<div runat="server" id="div1" ></div>

If the user enters under normal conditions

http://localhost:20885/WebForm1.aspx?p= the most handsome Galaxy

Will get the following results

At this point the page source code is:

If you submit an HTML code

Http://localhost:20885/WebForm1.aspx?p=</div><script>alert (' XSS ') </script><div>

Alert (XSS) is found to be executed

Then look at the source code:

The second type of attack through the user input box:

The front code is as follows:

<div id= "Div3" ></div>    <input id= "txt2" type= "text"/>    <input id= "btn2" type= "button" Onclick= "Setxss ()"/>        <script type= "Text/javascript" >         // use ID to get         $ ( Document). Ready (function() {                          $ ("#btn2"). Click (function() {                  var result1 = $ ("#txt2"). Val ();                 $ ("#div3"). HTML (RESULT1);             }         ); </script>

In the input box, enter: </div><script>alert (/xss/) </script><div>

When you click the button, it appears

Construction and experiment of cross-site scripting attack environment in ASP.