First, JS front-end verification
This article, based on the previous article, modified the form.html
1 <!DOCTYPE HTML>2 <HTMLLang= "en">3 <Head>4 <MetaCharSet= "UTF-8">5 <Metaname= "Viewport"content= "Width=device-width, initial-scale=1.0">6 <Metahttp-equiv= "X-ua-compatible"content= "Ie=edge">7 <title>Document</title>8 9 </Head>Ten <Body> One <formMethod= "POST"onsubmit= "return check (this)"> A {{info.string ()}} - {{info.sub ()}} - </form> the <Script> - functionCheck (f) { - varStr=F.string.value; - varC=NewArray ('Script','<','>','input','img'); + for(varI=0; I<C.length;i++){ - if(Str.indexof (c[i])!=-1){ + Alert ("there are sensitive characters:"+c[i]); A return false; at } - } - return true; - } - </Script> - </Body> in </HTML>
is a simple contrast of sensitive characters that stop submitting a form if there are sensitive characters.
If you enter a sensitive string, you are prompted:
Next, the front end validation bypass is shown:
1. Configure the Brup suit agent, brupt suit bound to the local port 1234th for monitoring:
Configure Firefox to give all of its traffic to the 127.0.0.1:1234 agent:
2. Intercept and modify HTTP requests
Change the last STRING=HELLO+FROM+XSS to the following (note that there are backslashes or quotation marks on either side, otherwise you do not):
This bypasses the front-end verification, triggering the JS code.
JS front-end verification and bypass