The first level of original sentences
Levels 2, 3, and 4 are directly triggered by onclick, onmouseover and other events.
" οnclick=alert(1) // OK, the problem is that there are no sensitive characters in the input box" or 'filtering causes code escape
Level 5
It is found that you can still escape, but with rewriting, you cannot use it with events.
The <script> tag was also messed with
Adopt pseudo protocol "> <iframe src=javascript:alert(1)> //
Or insert a link
"> <a href=javascript:alert(1)>haha</a>//
Determine whether the backend is a defective regular
Since it is a pseudo-protocol, I tested whether %0d, %0a, %09, and %20 can be executed in javascript.
The conclusion is that you need to put double quotes after the equal sign to execute normally. %20 means that spaces cannot be executed.
That is, %0d, %0a, and %09 can be executed anywhere if they are inserted in double quotes.
"> <iframe src=“javascript:alert(1)”> //
If it is triggered by an event, such as onclick
οnclick="alert(1)" οnclick="javascript:alert(1)" etc. If the above three are put in, it will not be executed.
For html entity encoding, whether it is event triggered or otherwise, the entity encoding is executable after the equal sign or between single and double quotes.
Level 6
Just capitalize the href
Level 7
Key characters are deleted
Bypass the stack
Level 8
This level is quite tough, < > " are all encoded by entities, which means they cannot escape.
But there is an href below, which is a direct pseudo-protocol.
Oh, Niubi, plus a wave of entity encoding
Or the three-symbol bypass I studied above
Level 9
There is waf, and the first point cannot escape
It’s hard to explain. I only whiten http://. Is https:// illegal? ? ?
Just code, be sure to add comments //
Level 10
For hidden input boxes, you can build parameters yourself based on the front-end source code.
poc:t_link= " οnclick=alert(1) > //&t_history= " οnclick=alert(1) > //&t_sort= " οnclick=alert(1)%20 type="text" //
Level 11
Very interesting, the following parameter is Referer
Go to the tenth level jump point to modify the Referer and perform referer injection.
" οnclick=alert(1) type="text"> //
Twelve levels:
It's obviously UA injection. Just capture the packet and modify it.
Thirteen levels:
If you change the cookie, in practice, you should reflect it directly....
Level 15:
Entering from the fourteenth level, there will be the src parameter.
Deleted the xss path (
ng-include means including external html files
Contains first level
As for other online reports that <> is escaped by entities in the source code, I found that this actually has nothing to do with tags. <> in the source code will be escaped regardless of the tag. As for <script>, it cannot be parsed, but <img> can be parsed. I I think it’s related to the characteristics of ng-include
Sixteen levels:
Replace spaces with %0d or %0a because spaces are escaped by entities
Level 17 and Level 18:
There is nothing, that is, src is followed by event triggering, which is similar to <input>
Need to change to Google Chrome
I’ll write about the last two levels later.