Set parameter value includes: "'<>()
- "'><script>alert('XSS');</script>
- Check every parameter.
- Don't output parameter value in the page directly.
Example
randinblogger.blogspot.com/?m="'><script>alert('XSS');</script>
IE/Edge only show # because XSS filter(X-XSS-Protection)
IE/Edge only show # because XSS filter(X-XSS-Protection)
No comments :
Post a Comment