Baidu knows the XSS Vulnerability (fixed)

Source: Internet
Author: User

This vulnerability was discovered in the evening and fixed at around PM.

The cause of this incident is that I saw a strange question on Baidu's knowledge that the body contains a connection (here). Normally, this situation is impossible.

I think of the XSS vulnerability. Out of curiosity, I decided to explore this vulnerability.

By checking the source code, I immediately found the root cause of the problem: the uncompleted <a> tag. <Pre class = "line q-content mt-10" accuse = "qContent"> help me write an extract <a href = "http: // "superjoin expression in quotation marks (only http headers are required. Thank you. </pre>


I guess I can insert the <a> label, so I try to insert <a href = ""> a </a>. The result is similar to what I expected and is filtered out.


What if the tag is incomplete? It is useless and will be escaped.


Here, let's take a closer look. Why are the previous labels not filtered, but those written later are filtered? The difference between the previous and second attempts is that the url address of the <a> tag href attribute submitted for the second time is complete,, and the previous one is http ://.

So far, I can probably guess how this vulnerability was triggered: an incomplete tag + href = "http ://".

Now that you have determined how to trigger the vulnerability, let's take a look at the vulnerability. Since tags can be retained, you can post on attributes. At the same time, my classmate is already trying to use style.

Use style = "color: red" to change the font color


At this time, I can't help but want to make an out-of-box <div style = "background-color: blue; color: red; font-size: 64px; font-weight: bold; width: 1024px; height: 1024px; position: fixed; left: 0; top: 0; "onclick =" alert (1); "href =" http: // "Ha </pre>

In this way, the page is completely invisible and The onclick event is added.


Okay. So far, if you have ulterior motives to continue exploring, You can launch a large-scale XSS attack on the entire Baidu website. I would like to report this vulnerability to the backend development team that Baidu knows, but cannot find the corresponding channel on the pages that Baidu knows. There is such a feedback area, but it is just a post. It is estimated that my feedback will only be considered crazy.


Finally, I guess the cause of the vulnerability. As a matter of fact, it is clear that it is only a logical error. Baidu knows that there are two filters involved in the background (in the current discussion). The first time the url is included with the <a> tag, the second time the html special characters are materialized. What Baidu knows is that it does not first implement html ing, but first processes URLs. When url Processing fails, html ING also fails.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.