I decided to understand the essence and mechanism of xss. I wrote a simple html:

<html> <head> <title> xss </title> </head> <body> <H1> test </H1> <br /> <?php echo $_GET['in']; ?> </body> </html>

If I refer to him as

 .../index.php?in=string

then output the string I transmitted, but if I try to write a script

 .../index.php?in=<script>alert('xss here')</script>

then nothing happens.

What am I doing wrong?

PS: JavaScript is enabled in the browser

  • What do you expect from the execution of this code? - titov_andrei
  • @titov_andrei, well, I mean that the script will execute and show an alert message - kBro
  • one
    @kBro: should work. Look at the source code of the page, after referring to it, that it is in place echo $_GET['in']; appears? - edem
  • @edem, it is not clear why, but the output of lines does not work. Numbers and objects are output - kBro
  • @kBro: open the developer console in your browser and see what it writes to you when you are trying to display strings. - edem

1 answer 1

Most likely, you are using Chrome: Chrome XSS Auditor handles such simple reflected XSS, in this case, on the Console tab of the developer panel there will be messages about blocking the execution of the script.

But keep in mind that Chrome will not necessarily protect against any reflected XSS , you can still look through the search results for " chrome xss auditor bypass ".

I think this game from Google , where you can get acquainted with various types of XSS, will be interesting to you.