The request parameter is "param",payload is http://[your-ip]/test?param=<svg/onload='alert(1)'>
If the user's input is output directly, XSS will be caused after the controller's set method is set. If the malicious parameters of controller are taken from the database, XSS vulnerability will be stored
Repair
The attributeValue should be judged before the set method calls request.setAttribute. If it is in string format, the harmful characters should be filtered, such as <script>
@HyCXSS @OS-WS web Web framework doesn't need to filter request data. In addition to performance, it also needs to consider JS script in user business data
The main reason is that the controller does not filter the parameters during rendering, which leads to malicious input of users and may lead to XSS
I wrote a demo:
Controller
test.html
The request parameter is "param",payload is
http://[your-ip]/test?param=<svg/onload='alert(1)'>If the user's input is output directly, XSS will be caused after the controller's set method is set. If the malicious parameters of controller are taken from the database, XSS vulnerability will be stored
The
attributeValueshould be judged before the set method callsrequest.setAttribute. If it is in string format, the harmful characters should be filtered, such as<script>The text was updated successfully, but these errors were encountered: