First Article: http://www.bkjia.com/Article/201205/131109.html is the foundation of xss. Now let's take a look at the xss practice:
First:TakeWww. B2B .cnPerform the test.
- Test and search with labeled characters"/<'You can check whether any search word is displayed on the webpage, that is, Echo.
- If yes, you can view the source code of the web page, which will show whether the object character is as is. Entity character is& # HexadecimalFormat.
If it is not an object, you can use XSS.
- Search "/<', http://search. B2B .cn/product? K = % 22% 2f % 3c % 27:
You can see that the title is also displayed, and you can see the source code: it is not an entity character, there is XSS!
At the same time, a simple"</Title>, Http://search. B2B .cn/product? K = % 22% 3C/title % 3E search garbled:
Directly run the code www.2cto.com <script> alert ('rc ') </script>,Http://search. B2B .cn/product? K = % 3 cscript % 3 ealert (% 27RC % 27) % 3c % 2 fscript % 3e
- Now, the xss test on this site is complete.
- Note 1: alert () is only a demonstration. You can use window. open () in actual practice.
- Note 2: The above xss is non-persistent xss, that is, the constructed data will not enter the server database, local one-time, but this is serious enough, such as putting B2B such a big site, it is easy for me to connect to Trojans and obtain cookies.
Author random _ from tianma xingkong Forum
