XSS challenge (1-5) more detailed answers

There's already a lot on the Internet about xss The problem-solving idea of the challenge range , But I think I'd better write another one by myself , Just make a note for yourself

LEVEL 1

There's already a lot on the Internet about xss The problem-solving idea of the challenge range , But I think I'd better write another one by myself , Just make a note for yourself

LEVEL 1

There's already a lot on the Internet about xss The problem-solving idea of the challenge range , But I think I'd better write another one by myself , Just make a note for yourself

LEVEL 1

look for xss The method of vulnerability is the same as that of other vulnerabilities , Is to find the input interface , Find a place where you can enter data , Build attack field to achieve attack .

The first pass is obviously in url After the data get Submitted parameters

So build xxxx/leval1.php?name= Pop up the window

LEVEL 2

look for xss The method of vulnerability is the same as that of other vulnerabilities , Is to find the input interface , Find a place where you can enter data , Build attack field to achieve attack .

The first pass is obviously in url After the data get Submitted parameters

So build xxxx/leval1.php?name= Pop up the window

LEVEL 2

look for xss The method of vulnerability is the same as that of other vulnerabilities , Is to find the input interface , Find a place where you can enter data , Build attack field to achieve attack .

The first pass is obviously in url After the data get Submitted parameters

So build xxxx/leval1.php?name= Pop up the window

LEVEL 2

Try alert(/xss/) Found no pop-up window
F12 Navigate to this form , There is nothing wrong with the data , But it doesn't pop up
So it is suspected that sensitive fields have been escaped
Grab the bag and have a look

There are obviously two angle brackets <> escaped ,
The escape uses htmlspecialchars() Method

Here is another way of thinking , Obviously , The form data is retained after the jump , therefore , Through the retained form data , It can also achieve the implementation js The effect of
The background processing source code is as follows , You can see what's printed out " Can't find XXXX" The input data is htmlspecialchars() Handle

First, build. "> Before closing input label
">
Pop up window after jump

level 3

The input data is also processed , The first thing that comes to mind here is to follow the train of thought of the second question

I found that , The contents of the form are also htmlspecialchars() Method escaped

The double quotation marks were found to be escaped after the test , Single quotation marks are OK
So build payload ’ οnclick=alert(/xss/)%0a Bypass （> Filtered , So use %0a Line breaks bypass , Note that the data should be written in url in

LEVEL5

After a simple test, I found script The field is modified ,onclick The string is also modified , Try to bypass
adopt payload '><iframe src="javascript:alert(/xss/)> （javascript: It's a fake agreement , Is used to js Code is coupled to html in , Again , There are other pseudo protocols , Search for )