XSS challenge of xss-challenge

table of Contents

1. Description

2. Customs clearance

1. Description

xsschange is an xss filter bypassing shooting range, there are a total of 20 levels, through which you can practice how to bypass the xss filter. Just place the file in the website directory for access, as follows

Download link : Portal-" xss-challenge

2. Customs clearance

level 1

Click on the picture to enter the first level 1. You can see that the value is passed through the get method, and what is input will be output

Try to enter <script>alert(/xss/)</script>, without any filtering, successfully passed

level2

After we input, there is no pop-up window

After capturing the packet, it was found that the <> greater than less than sign was converted into HTML entities. Converting <and> into entities is often used to prevent browsers from using them as HTML elements. But when the user needs to display the input on the page, converting to HTML entities can prevent the code from running. About htmlspecialchars() function, portal-" htmlspecialchars() function

Check the source code and convert the "<" (less than) and ">" (greater than) in the input characters into HTML entities.

But we found in the source code that our input also has an output, which is placed in the value attribute value

At this time, we try to close the input form, separate the sentences we input, and construct

"><script>alert(/xss/)</script>

Success popup

level3

In order to better find out what characters the program has filtered for us, we use a little test <SCR<script>IPT>:'"()OonNhrefjavascript

Ultimate test code

<SCR<script>IPT>:'"()OonNhrefjavascript

Enter it into the input box, check the source code, and find that the program filters the angle brackets and double quotation marks

But there is no single quotation mark to filter, close the value and add another event

' οnfοcus='alert(/xss/)

When the mouse clicks on the input box, it will pop up

level4

Enter the ultimate test code, click search to view the source code

Found that the angle brackets are filtered directly

Construct value attribute value closure, add event

" οnfοcus="(alert(/xss/))

level5

Enter the ultimate test code, click search, view the source code, and found that underscores are added in script and on. I said before that there are four ways to construct xss. The first is to use angle brackets to construct script tags, the second is to use pseudo-protocols, the third is to use html events, and the fourth is to construct svg tags. Since script and on are filtered here, script is used in the first construction method, and the keyword on is used in the third and fourth methods, so pseudo-protocol is used here to construct

First, close the input tag, the construction method is as follows

"> <a href="javascript:alert(/xss/)">touch me!</a>

level6

Enter the test code and find that the href filter is added on the basis of the previous level, but there is no case conversion here, so SCRIPT does not filter

Closed label

"><SCRIPT>alert(/xss/)</SCRIPT>

level7

Enter the test code and view the source code. As follows, the script keyword is word-filtered, so here you can, close the input note, and double-write the script to bypass the word filter

"><scscriptript>alert(/xss/)</scscriptript>

level8

<SCR<script>IPT>:'"()OonNhrefjavascript

Check the source code and find that javascript has also been disassembled, so we add some control characters in the middle of javascript to scatter it

javascr	ipt:alert(/xss/)

level9

Enter the test code and click to add a friendship link

Show that our link is illegal

At this point, we add a http:// in front, and we find that it is OK. Guess that the system depends on whether there is http:// in the input word, and it is legal, and then pass it in

http://<scr<script>ipt>:'"()oonnhrefjavascript

The structure is as follows:

javascr	ipt:alert('http://')

level10

Enter test code

Looking at the source code, we found that our input appeared in the h2 tag, and the filtering here cannot be bypassed. But several hidden forms were found below