I want a simple method to simulate XSS attack.
I've created asp.net core 5.0 mvc, then added a controller:
public class HelloWorldController : Controller
{
public string Welcome(string name)
{
return name;
}
}
Then launched /helloworld/welcome?name=<script>alert("hello")</script>, expecting to display alert, but it displays it as plain text.
CodePudding user response:
If you want to explicitly execute this, you need to tell the view engine to do so:
public IActionResult Index(string name)
{
ViewBag.name = name;
return View();
}
@Html.Raw(ViewBag.name)
Without it, asp.net core would encode it, and then display it as a string, because it is a string. You are explicitly returning a string in your code.