javascript - What does document.vulnerable do? - Stack Overflow

admin管理员组

文章数量:1023827

Im getting more into preventing xss attacks and one of the ways I'm doing that is by finding and fixing exploits. I noticed that i see document.vulnerable in alot of the attacks I've logged.

I can't seem to find much documentation on this so I'm left wondering what does it do or what is it for?

Im getting more into preventing xss attacks and one of the ways I'm doing that is by finding and fixing exploits. I noticed that i see document.vulnerable in alot of the attacks I've logged.

I can't seem to find much documentation on this so I'm left wondering what does it do or what is it for?

• javascript
• xss

Share Improve this question Follow asked May 23, 2012 at 19:39 RoosterRooster 10.1k88 gold badges4949 silver badges7272 bronze badges 1

• 1 They're probably just setting a flag, document.vulnerable isn't a native JS property. – Snuffleupagus Commented May 23, 2012 at 19:48

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 5

AFAIK it's just a way of testing if an attack works. You try to inject a script containing document.vulnerable = true into a page, then you go to the page and see if document.vulnerable is set.

From what I can find it is just a flag set by the XSS vulnerability tests. I am basing this on all the tests I have seen and

...the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS...

seen in the documentation for this FF add-on: https://addons.mozilla/en-US/firefox/addon/xss-me/

I don't think it does anything, it just sets a property on the document object called vulnerable.

When you see HTML code like: <IMG SRC="javascript:document.vulnerable=true;"> when looking at XSS attacks, it's just a way of saying "allowing JavaScript code to be inserted here is dangerous".

Im getting more into preventing xss attacks and one of the ways I'm doing that is by finding and fixing exploits. I noticed that i see document.vulnerable in alot of the attacks I've logged.

I can't seem to find much documentation on this so I'm left wondering what does it do or what is it for?

Im getting more into preventing xss attacks and one of the ways I'm doing that is by finding and fixing exploits. I noticed that i see document.vulnerable in alot of the attacks I've logged.

I can't seem to find much documentation on this so I'm left wondering what does it do or what is it for?

• javascript
• xss

Share Improve this question Follow asked May 23, 2012 at 19:39 RoosterRooster 10.1k88 gold badges4949 silver badges7272 bronze badges 1

• 1 They're probably just setting a flag, document.vulnerable isn't a native JS property. – Snuffleupagus Commented May 23, 2012 at 19:48

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 5

AFAIK it's just a way of testing if an attack works. You try to inject a script containing document.vulnerable = true into a page, then you go to the page and see if document.vulnerable is set.

From what I can find it is just a flag set by the XSS vulnerability tests. I am basing this on all the tests I have seen and

...the resulting HTML page sets a specific JavaScript value (document.vulnerable=true) then the tool marks the page as vulnerable to the given XSS...

seen in the documentation for this FF add-on: https://addons.mozilla/en-US/firefox/addon/xss-me/

I don't think it does anything, it just sets a property on the document object called vulnerable.

When you see HTML code like: <IMG SRC="javascript:document.vulnerable=true;"> when looking at XSS attacks, it's just a way of saying "allowing JavaScript code to be inserted here is dangerous".

本文标签： javascriptWhat does documentvulnerable doStack Overflow