文档结构:
XSS.html
1 from flask import Flask,render_template,request 2 from flask_wtf import FlaskForm 3 from wtforms import StringField,SubmitField 4 app=Flask(__name__) 5 app.config['SECRET_KEY'] = 'hard to guess string' 6 class InputForm(FlaskForm): 7 string=StringField() 8 sub=SubmitField('submit') 9 10 @app.route('/',methods=['GET', 'POST']) 11 def fontPage(): 12 info=InputForm() 13 if request.method=='POST': 14 string=request.form['string'] 15 return render_template('show.html',string=string) 16 return render_template('form.html',info=info) 17 18 if __name__=='__main__': 19 app.run()
form.html
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset="UTF-8"> 5 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 6 <meta http-equiv="X-UA-Compatible" content="ie=edge"> 7 <title>Document</title> 8 </head> 9 <body> 10 <form method="POST"> 11 {{info.string()}} 12 {{info.sub()}} 13 </form> 14 </body> 15 </html>
show.html
1 <!DOCTYPE html> 2 <html lang="en"> 3 <head> 4 <meta charset="UTF-8"> 5 <meta name="viewport" content="width=device-width, initial-scale=1.0"> 6 <meta http-equiv="X-UA-Compatible" content="ie=edge"> 7 <title>Document</title> 8 </head> 9 <body> 10 what you input is: 11 {{string|safe}} <!--注意这里"|safe"关闭jinja2自动转义功能--> 12 </body> 13 </html>
测试:
1.运行:
2.输入测试脚本:
3.提交触发漏洞:
一个简单的Python实现的XSS漏洞环境就完成了!