Question
Please refer below my code to simulate an XSS attack. But unfortunately it is not working.
Now when I enter <script type="text/javascript">alert("Hacked")</script>, shouldnt a message box be thrown. But it is not shown. Though i can see it in unencoded form in the view source. It should be some small error but I am not able to figure it out.
https://stackoverflow.com/questions/21351451
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpublic class HomeController : Controller
{
//
// GET: /Home/
public ActionResult Index()
{
ViewBag.Message = "Nothing entered";
return View();
}
[HttpPost]
[ValidateInput(false)]
public ActionResult Index(string Id)
{
ViewBag.Message = Id;
return View();
}
}
And the view code is
@{
ViewBag.Title = "Index";
}
<h2>Index</h2>
<form method="post">
<input type="text" name="Id" />
<input type="submit" name="submit" value="submit"/>
</form>
<h2>The Data you entered is</h2>
<h1>@Html.Raw(ViewBag.Message)</h1>
Solution
Now when I enter alert("Hacked"), shouldnt a message box be thrown.
No, of course not. alert("Hacked") is a javascript function whereas you have Html.Raw inside an <h1> tag.
So you end up with the following markup:
<h1>alert("Hacked")<h1>
from which you cannot expect any message boxes to be thrown. If you want to throw something make sure you are hacking it right, i.e. by typing the following in your textbox:
<script>alert("Gotcha this time")</script>
