为什么javascript代码没有被执行?

时间:2016-05-25 19:23:22

标签: javascript

我试图在某些网站上测试安全级别的XSS漏洞,但我无法弄清楚为什么在下一页中注入的脚本无法执行。基本上,我在输入表单中插入一些值,服务器回复此响应

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" conent="IE-edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>NECSTFeedback</title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
    <link href="/static/css.css" rel="stylesheet">
</head>
<body>
<div class="container">
    <div class="header clearfix">
        <h3 class="text-muted">The NECSTFeedback</h3>
    </div>

<h1>Report</h1>
<p><b>Subject: </b>sk</p>
<p><b>Sender: </b>as</p>
<div class="rpt-content">
    <p><b>Message: </b></p>
               <!-- This is my script -->
               <script> alert('Hi')</script>
</div>

<p><b>Attachment: </b><a href="/attachment/58224c5bd967459c925a88eb21799384"></a></p>

</div>
</body>
</html>

我怀疑它是因为CSP标题,但我不太确定。顺便说一句,这是一个标题列表。

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 25 May 2016 19:18:31 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/

1 个答案:

答案 0 :(得分:2)

  

我怀疑它是因为CSP标题,但我不太确定。

Content-Security-Policy: default-src 'self'; style-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/; font-src 'self' https://maxcdn.bootstrapcdn.com/bootstrap/
确实是的。

内容安全政策规范says here

如果&#39;不安全 - 内联&#39;不在allowed script sources [...]列表中: 只要用户代理从<script> element [...]执行内联脚本,用户代理就不能执行脚本[...]。

标题中的self确实禁止内联脚本。