I want to create an simple XSS. Below is my code
<body>
<script>
function update(){
const message = document.getElementById("message").value;
document.getElementById("show_message").innerHTML = message
}
</script>
<h1 >Cross-Site Scripting</h1>
<div >
<input type="text" id="message"/><br/>
<button type="button" onclick="update()">submit</button>
</div>
<hr/>
<div id="root">
You typed :
<span id="show_message">
</span>
</div>
</body>
Then I tried to type in <script>alert(1);</script>.But it didn't work.
Where's the problem?
CodePudding user response:
The script tag is not going to run because the browser is not going to let you do that. It is EXACTLY there to prevent such XSS attacks.
Anyway, if you want to see it run you can check other answers:
If you just want an input that can run, create one using img
<image/src/onerror=alert(8)>
CodePudding user response:
There is nothing wrong with your code! Are you using Chrome? Chrome now uses Trusted Types for DOM Manipulation. So it automatically protects you from this simple XSS attack.
By the way, if you want to try more XSS attacks, I recommend you play with the seedlab.