1, vulnerability description:
2, detection conditions:
The website under test has interactive function modules, which involve parameter get and post submission, etc.
3, detection method
If the application uses the framework, check the main The HTML source code of the browser window, which should contain the code for the frameset. Through the frame or link injection of the parameters in the url submitted by the get in the website, the effect is injected into the parameter id:
The effect is as follows:
4, the repair plan
All of the following characters:
| (vertical symbol)& (& symbol) ; (semicolon) $ (dollar sign) % (percent symbol) @ (at symbol) ' (single quote) " (quotation mark)\' (backslash escape single quote) \\" (backslash escape quotation marks)<> (angle brackets) () (brackets) + (plus sign) CR (carriage return, ASCII0x0d) LF (line feed, ASCII0x0a) , (comma) \ (backslash) For detailed filtering solutions, please refer to the XSS cross-site vulnerability fix.