A note input label xss test procedure is as follows -
Escape closed sign
As shown below, double quotes may be closed, but when the label is closed off entity encoded input bit is located in the display, it is necessary to form in the input tag xss
Looking payload can be formed in the input tag xss
<input onmouseover="alert(1)"/><input onclick="alert(1)"/><input onfocus="alert(1)"/>
After entering the payload found above will be filtered out, the results shown below:
FUZZ
1. doublewrite
When writing double bypass, I found directly
"Onmouseover =" and "onmouseover =" directly in front of the letter to clear, but did not clear out double quotation marks, so I guess it should be a regular match letters.
2.FUZZ special symbols
Constant testing in special symbols found "as + onmouseover = a" is directly removed only one "a", but as + aonmouseover = a ", are retained under" asa ", directly to the content before and after stitching on.
3. Dual write again
Found again double write or not, it has been cleared;
This time guess there are two possibilities:
1) Loop Filter: Direct cyclic manner without risk to the contents of the filter will enter the next character the processing flow
2) several filters: non-loop filter, only artificial wrote were more than 2 times or 2 times a filtering operation
4. Three Spelling
Enter the discovery of three spell when he successfully bypassed the filter, we want to get the output: "onmouseover =" (so it should just write two filters)
5. write complete payload
"o+aon+aonmouseover=mouseover=nmouseover="alert`1`www.gendan5.com
Beginning alert (1) I entered, but found that are filtered out, so I chose alert`1`
6. Update Trigger
Such man-made payload needs to click to trigger, so the subsequent update a bit trigger, use "onfocus =" property plus "autofocus" focus can be triggered automatically, complete xss attacks
"autofocus+onf+aonf+ aonfocus=ocus=ocus="alert`1`" a="
Suggested fix
1. Using a filter circulation filter way dangerous method name
2. The filter or double quotes