table of Contents
1. Description
xsschange is an xss filter bypassing shooting range, there are a total of 20 levels, through which you can practice how to bypass the xss filter. Just place the file in the website directory for access, as follows
Download link : Portal-" xss-challenge
2. Customs clearance
level 1
Click on the picture to enter the first level 1. You can see that the value is passed through the get method, and what is input will be output
Try to enter <script>alert(/xss/)</script>, without any filtering, successfully passed
level2
After we input, there is no pop-up window
After capturing the packet, it was found that the <> greater than less than sign was converted into HTML entities. Converting <and> into entities is often used to prevent browsers from using them as HTML elements. But when the user needs to display the input on the page, converting to HTML entities can prevent the code from running. About htmlspecialchars() function, portal-" htmlspecialchars() function
Check the source code and convert the "<" (less than) and ">" (greater than) in the input characters into HTML entities.
But we found in the source code that our input also has an output, which is placed in the value attribute value
At this time, we try to close the input form, separate the sentences we input, and construct
"><script>alert(/xss/)</script>
Success popup
level3
In order to better find out what characters the program has filtered for us, we use a little test <SCR<script>IPT>:'"()OonNhrefjavascript
Ultimate test code
<SCR<script>IPT>:'"()OonNhrefjavascript
Enter it into the input box, check the source code, and find that the program filters the angle brackets and double quotation marks
But there is no single quotation mark to filter, close the value and add another event
' οnfοcus='alert(/xss/)
When the mouse clicks on the input box, it will pop up
level4
Enter the ultimate test code, click search to view the source code
Found that the angle brackets are filtered directly
Construct value attribute value closure, add event
" οnfοcus="(alert(/xss/))
level5
Enter the ultimate test code, click search, view the source code, and found that underscores are added in script and on. I said before that there are four ways to construct xss. The first is to use angle brackets to construct script tags, the second is to use pseudo-protocols, the third is to use html events, and the fourth is to construct svg tags. Since script and on are filtered here, script is used in the first construction method, and the keyword on is used in the third and fourth methods, so pseudo-protocol is used here to construct
First, close the input tag, the construction method is as follows
"> <a href="javascript:alert(/xss/)">touch me!</a>
level6
Enter the test code and find that the href filter is added on the basis of the previous level, but there is no case conversion here, so SCRIPT does not filter
Closed label
"><SCRIPT>alert(/xss/)</SCRIPT>
level7
Enter the test code and view the source code. As follows, the script keyword is word-filtered, so here you can, close the input note, and double-write the script to bypass the word filter
"><scscriptript>alert(/xss/)</scscriptript>
level8
<SCR<script>IPT>:'"()OonNhrefjavascript
Check the source code and find that javascript has also been disassembled, so we add some control characters in the middle of javascript to scatter it
javascr	ipt:alert(/xss/)
level9
Enter the test code and click to add a friendship link
Show that our link is illegal
At this point, we add a http:// in front, and we find that it is OK. Guess that the system depends on whether there is http:// in the input word, and it is legal, and then pass it in
http://<scr<script>ipt>:'"()oonnhrefjavascript
The structure is as follows:
javascr	ipt:alert('http://')
level10
Enter test code
Looking at the source code, we found that our input appeared in the h2 tag, and the filtering here cannot be bypassed. But several hidden forms were found below
We pass the value of the form to see if it can be output
?t_link=a&t_history=b&t_sort=c
Check the source code and find that the third form will be output
Enter the ultimate test code, see what is filtered in the third form, and find that the angle brackets are filtered
Construct closure, add event, change type attribute to button
?t_sort=" οnfοcus="alert(/xss/)" type="button
Click the button and pop up the window