JS front-end verification and bypass

First, JS front-end verification

This article, based on the previous article, modified the form.html

1 <!DOCTYPE HTML>2 <HTMLLang= "en">3 <Head>4     <MetaCharSet= "UTF-8">5     <Metaname= "Viewport"content= "Width=device-width, initial-scale=1.0">6     <Metahttp-equiv= "X-ua-compatible"content= "Ie=edge">7     <title>Document</title>8     9 </Head>Ten <Body> One     <formMethod= "POST"onsubmit= "return check (this)"> A {{info.string ()}} - {{info.sub ()}} -     </form> the     <Script> -         functionCheck (f) { -             varStr=F.string.value; -             varC=NewArray ('Script','<','>','input','img'); +              for(varI=0; I<C.length;i++){ -                 if(Str.indexof (c[i])!=-1){ + Alert ("there are sensitive characters:"+c[i]); A                     return false; at                 } -             } -             return true; -         } -     </Script> - </Body> in </HTML>

is a simple contrast of sensitive characters that stop submitting a form if there are sensitive characters.

If you enter a sensitive string, you are prompted:

Next, the front end validation bypass is shown:

1. Configure the Brup suit agent, brupt suit bound to the local port 1234th for monitoring:

Configure Firefox to give all of its traffic to the 127.0.0.1:1234 agent:

2. Intercept and modify HTTP requests

Change the last STRING=HELLO+FROM+XSS to the following (note that there are backslashes or quotation marks on either side, otherwise you do not):

This bypasses the front-end verification, triggering the JS code.

JS front-end verification and bypass