We all know that json is similar to a dictionary. Here we will not repeat it here. The XSS directly uses the Code:
Json = new JSONObject (); json. put ("code", 200); json. put ("info", "{'replace ': function () {alert (/xss/) ;}}"); json. put ("msg", "success"); System. out. println (json); // output: {"code": 200, "info": {"replace": function () {alert (/xss /);}}, "msg": "success "}
When JSONObject outputs a json string, info is output as an object, and the replace method is embedded in it. js then calls replace.
The embedded replace method is called during Escape filtering. (This is based on the conventional habits of the programmer, so that it is automatically triggered by the user, but if the client code does not call the corresponding function, it will not be triggered, so here we should first look at the original
Attention should also be paid to construct functions that can be triggered in js Code)
The trigger process is as follows:
<Script tpye = 'text/javascript '> json = JSONObject. json_list ('info') ['replace '] // This section is called by the client code, so this function () is thrown () {alert (/xss/) ;}</script>
This info can be constructed into different objects based on different occasions, or an array {function () {alert (/xss/)} can be constructed, or a simple
Function () {alert (/xss /)},
It is worth noting that this method does not work in jQuery. jQuery will check the json string format. If ajax and jsonp are common, this xss problem may exist. Finally, when XSS is used, a lot of small X will require a little bit of tricky ideas.