I am going through the WebGoat exercises, to refresh my knowledge of XSS attacks.
Specifically, I am doing the Stage 1 XSS exercise. This exercise has a form that deliberately does not sanitize input. The solution video shows using the JavaScript alert function to put out a message and the session cookie.
Stage 3 has a built in XSS code snippet, that upon viewing a profile will show the contents of document.cookie.
In any modern browser, all without any special addons, I cannot get this to execute. I can generate messages using JavaScript alert, but it never prints the contents of document.cookie
The tutorial on this page for get cookies shows that it is possible to print the contents of document.cookie in a JavaScript alert message.
What I would like to know is why I can't do the same in a very simple, deliberatly vulnerable to XSS web application. Is there some XSS detection in all modern browsers preventing this?
Aucun commentaire:
Enregistrer un commentaire