The environment is built by yourself~~ So arrogant:
1. http://127.0.0.1:8024/xss/level1.php?name=test This is the URL. Seeing that there are parameters to pass behind the name, I don’t want to try xss directly.
There is no filtering whatsoever.
payload :http://127.0.0.1:8024/xss/level1.php?name=<script>alert('xss')</script>
2. http://127.0.0.1:8024/xss/level2.php?keyword=test Change the parameters directly to the URL similar to the previous question
If you find no success, you can only look at the source code. see what filtering is done
It is found that the payload does not take effect in the value, construct the payload: " > <script>alert('xss')</script> id=" Use (">) to close the front and then add an empty id or payload: " > <script>alert('xss')</script> // Finally add // and comment out the following double quotes. :
Or use payload: " onclick=alert(1) id=" and then click on the text box.
3. Output the attempt directly in the text box and find that it cannot be successful. Then look at the source code:
Construct the payload directly: closed with single quotes, use the on event. Payload: ' onclick=alert(1) // Here the <> is filtered.
4. Inline attempt, failed. View source code:
It is found that there is no translation for <>. Construct the payload directly: " onclick=alert(1) //
Or use the onmouseover function, payload: " onmouseover=alert(1) //
5. Inline attempt, failed. View source code:
The double quotes also filter the script into scr_ipt. Tried using the on event and found that the on event was also filtered, and on became o_n.
Here, the payload is directly constructed using the Javascript pseudo-protocol:" > <a href=javascript:alert(1)> //
6. <script> try, view the source code:
The double quotes also filter the script into scr_ipt. Tried using the on event and found that the on event was also filtered, and on became o_n. Use Javascript pseudo-protocol to find that href becomes hr_ef. src is also filtered.
Construct the payload to try to bypass, case. Payload: " Onclick=alert(1) //
