直到最近,我還沒有和HTML或PHP混爲一談。我的任務是使用漏洞工具來診斷問題,然後嘗試修復它們。我發現最高警報是一個跨站腳本(XXS)警報。我已經閱讀了這個漏洞,但是在告訴我我真的需要做什麼時發現它很混亂。代碼如下:試圖擺脫代碼中的跨站點腳本(XXS)漏洞
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Form Login</title>
</head>
<body OnLoad="document.main.username.focus();">
<table >
<tr>
<td colspan="2">
<h4>Enter your Username and Email Address to continue</h4>
</td>
</tr>
<!-- create the main form with an input text box named uid and a password text box named mypassword -->
<form name="main" method="post" action="authcheck.php">
<tr>
<td>username:</td>
<td><input name="username" type="text" size="50"></td>
</tr>
<tr>
<td>Email Address:</td>
<td><input name="emailadd" type="text" size="50"></td>
</tr>
<tr>
<td colspan="2" align="center"><input name="btnsubmit" type="submit" value="Submit"></td>
</tr>
</table>
</form>
</body>
</html>
下一個節目上面的一個是指如下:當我按下提交按鈕時生成
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>User Authenticate </title>
</head>
<body>
<?php
// Retrieve Post Data
$username = $_POST["username"];
$email = $_POST["emailadd"];
// Set the session information
session_start();
$_SESSION['appusername'] = $username;
$_SESSION['appemail'] = $email;
// Display the Session information
echo "<h3> Session Data </h3>";
echo "<table border='1'>";
echo "<tr>
<td>Username </td>
<td> Email </td>
</tr>";
echo "<tr>
<td>" . $_SESSION['appusername'] . "</td>";
echo "<td>" . $_SESSION['appemail']. "</td>";
echo "</tr>";
echo "</table>";
// Provide a button to logout
echo "<form name='logout' method='post' action='logout.php'>
<input name='btnsubmit' type='submit' value='Logout'>
</form>";
?>
</body>
</html>
此程序。
我真的只是想找出我應該試圖解決這個錯誤。謝謝
你需要提供更多的代碼和你正在得到什麼錯誤...什麼工具檢查這個? – cmorrissey
我正在使用名爲ZAP –
@RandyGilman的漏洞工具,如來自OWASP的ZAP? –