Home > front end >  How to simulate XSS in ASP.NET?
How to simulate XSS in ASP.NET?

Time:09-22

I want a simple method to simulate XSS attack.

I've created asp.net core 5.0 mvc, then added a controller:

public class HelloWorldController : Controller
{
    public string Welcome(string name)
    {
        return name;
    }
}

Then launched /helloworld/welcome?name=<script>alert("hello")</script>, expecting to display alert, but it displays it as plain text.

CodePudding user response:

If you want to explicitly execute this, you need to tell the view engine to do so:

public IActionResult Index(string name)
{
    ViewBag.name = name;
    return View();
}

@Html.Raw(ViewBag.name)

Without it, asp.net core would encode it, and then display it as a string, because it is a string. You are explicitly returning a string in your code.

  • Related