Http://www.xssor.cn/sa
In fact, here baidu uses ajax to perform a series of operations, such as determining whether the URL is repeated and whether the submission is successful.
Ajax is returned in json format. The js that mainly processes the returned results isItemadd. js
Return page:
XML/HTML code
- {
- ResultNo:
- "Duplicate url ",
- ResultBool:
- False,
- ResultNum: 30005,
- UserLogin: "1 ",
- ItemId: "026aec1d90a1e9e5ea1182a1"
- }
If we only analyze the HTML page, we can't see any place where we execute JS, but our small box does pop up.
This is also a typical DOM XSS
The reason is that, inItemadd. jsMedium:
JavaScript code
- FunctionCheckForm (){
- VarF = document. fadd, oit = f. it, oiu = f. iu, odc = f. dc, otn = f. tn, vst = 0;
- If(F. st. checked =True)
- Vst = 1;
- If(Chek_submit (oit, oiu, odc, otn )){
- VarVit = oit. value, viu = oiu. value, vdc = odc. value, vtn = otn. value, url =/Do/cm;
- VarP_pars =Iu =+ Encode (viu) +& St =+ Encode (vst) +& Dc =+ Encode (vdc) +& It =+ Encode (vit) +& Tn =+ Encode (vtn );
- VarPars =Ct = 5 &+ P_pars;
-
- NewAjax. Request (url ,{
- Method:Post,
- Parameters: pars,
- OnComplete:Function(XmlHttp ){
- VarJsonResults =(+ XmlHttp. responseText +);
- VarRetno = eval (jsonResults );
- If(ParseInt (retno. userLogin) = 0 ){
- If(Nw =True)
- Location. href ="Http://passport.baidu.com /? Login & tpl = fa1 & next_target = _ blank & skip_ OK = 1 & u ="+ CheckUrl (location. href, 1800 );
- ElseLocation. href ="Http://passport.baidu.com /? Login & tpl = fa & skip_ OK = 1 & u ="+ CheckUrl (location. href, 1800 );
- Return
- }
-
- VarRetTxt = retno. resultNo;
- VarResultNum = retno. resultNum;
-
- If(RetTxt ="Duplicate url"){
- VarItemId = retno. itemId;
-
- If(Confirm ("The url is repeated. Is it overwritten? ")){
- NewAjax. Request (url ,{
- Method:Post,
- & Nb
