Shulou(Shulou.com)05/31 Report--

Today, the editor will take you to understand how the xss quiz is carried out. The knowledge points in the article are introduced in great detail. Friends who think it is helpful can browse the content of the article with the editor, hoping to help more friends who want to solve this problem to find the answer to the problem. Let's follow the editor to learn more about how the xss quiz is carried out.

No security restrictions, direct use

Alert (/ xss/)

Restrictions: only CSS can be used. Html tags are not allowed.

We know that expression can be used to construct XSS, but it can only be tested under IE, so the following tests should be performed in IE6.

Body {black;xss:alert (/ xss/)); / * Test under IE6 * /}

Restrictions: HTML has been escaped and the Image tag is available.

The characters entered by the test will be inserted into the src address, so you can use a pseudo protocol to bypass it.

Direct input

Alert (/ xss/)

Or you can use events to bypass, just pay attention to the closing statement, as follows:

1 "onerror=alert (/ xss/); var a =" 1

Restrictions: keyword filtering is used.

I tested it, most of it filtered, some unfiltered, tested script/onerror filtered, but onclick unfiltered, using onclick event bypass

Restrictions: feature characters are escaped using addslashes

In other words, there can be no single quotation marks, double quotation marks and other characteristic characters in our XSS statements.

Direct use

Alert (/ xss/)

Can be bypassed

Or use the String.fromCharCode method, as follows:

Eval (String.fromCharCode). Thank you for your reading. That's all about how the xss quiz works. Let's do it quickly. I believe that the editor will certainly bring you better quality articles. Thank you for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.