<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Insert title here</title> </head> <body> <!-- http://sjy:8008/demo/index.jsp?meg=<script>alert('XSS%20attack')</script> --> <%String message = request.getParameter("meg"); %> <%=message %> <form action="" method="post"> <input type="hidden" value="<%=message%>"> </form> </body> </html>
上面代码容易被XSS攻击,做个记录!
在浏览器中输入
http://sjy:8008/demo/index.jsp?meg=<script>alert('XSS%20attack')</script>
即可看到攻击效果