Environment building

1、 Range address
2、 Small leather panel
3、windows machine
4、 Decompress the package , Put it in www Under the table of contents , Then visit

The experimental steps

The first level

Just type it directly ：<script>alert('xss')</script>

The second level

"> <script>alert('xss')</script><" Close the front and close the back 

The third level

Use the popup statement above , Found to be escaped

Take out the function , It is found that the double quotation marks have been annotated as "

<input name="keyword" value="&quot;><script>alert(&quot;xss&quot;)</script><&quot;">

It is found that double quotation marks have been escaped , We try to use single quotation marks to bypass , however < It was escaped again , I really did

 Input parameters ：'><script>alert('xss')</script><'
 Page parameters ：<input name="keyword" value="" &gt;&lt;script&gt;alert('xss')&lt;="" script&gt;&lt;''="">

Check the source code and find a strange parameter

Let's see what he means , The discovery is the escape function
htmlspecialchars

Change the parameter ,' onclick="alert('xxs') ', It means that when the user clicks the box, a window pops up

It turns single quotation marks into double quotation marks, which is exactly what we need , Change it poc' onclick='alert(/xxs/) '

too ！

Of course , You can also use another event to bypass ：'onmouseover='alert(/ Pop up when the mouse hovers /)', Similarly, replace single quotation marks with slashes ！

When testing, it is recommended to set up a local environment , Only local people can pop up , The shooting range can pop up

The fourth level

Apply the above code , I can't find it

f12 Check , It is found that the front and back ends are double quotation marks , Let's try changing single quotation marks into double quotation marks

" οnclick="alert(/xxs/) "

After clicking the box , Pass the test successfully

The fifth level

Old rules , laurels

It's strange here , Why is the first letter escaped , Fuzzy test tried .

Look at the source code , The hard core matched here

 Because of laziness ,<script> and on I won't use the function at the beginning , ha-ha 

I use a Try the label

"><a href=javascript:alert(1)>

Click the bracket after , Straight through ！

The sixth level

Old rules , laurels

"><a href=javascript:alert(1)>

there href It's translated into hr_ef, Use case to bypass

Look at the source code , There are two more matching items

First come here. , Later update