A simple reflective XSS operation and idea

Hello everyone , I meet you again , I'm your friend, Quan Jun .

xss It's similar yeah html Code injection , Splicing malicious code to obtain cookie etc.

There are three types , They are reflective 、 Storage and dom type Reflection type is not stored in the database , Have an impact on yourself The storage type is stored in the database , It has an impact on visitors

1. Enter the range and see the input box , Insert js label Enter... In the input box ：< script>alert（1）</ script > Click on the search

Statement not executed , Instead, it is searched as text , This is clearly not what we want to see , spot f12 View reasons Then click on the sentence we want to see , Right click edit as html Look at the code

Obviously here Label symbol <> The filtered 2. Figure out how to bypass the filter execution xss You can try to execute with events xss,alert() The input box triggers a pop-up window sentence ：alert(1) The statement here also does not execute

Look at the code , There are double quotation marks

3. Closed double quotes sentence ：”alert(1)//

Double quotes are filtered

4. Use a symbol instead of double quotes to close Try closing with single quotation marks , Because sometimes ,html For operability, some automatic completion will be carried out sentence ：”alert(1)//

Statement executed successfully , Pop up window flag

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/132883.html Link to the original text ：https://javaforall.cn