Street network is not your official website, a storage section XSS can get user cookies

In the past, the official website provided by the street network is not yours. Several sections of the street network official website are also found, but there are restrictions. If you can break through the official website, submit it again. I saw all the vulnerabilities on the street network. They are all XSS, domineering! Here I will add one more... Details: 1 Baidu is not your official website, you can see that it is the street network domain name. Figure 1 2 select the discussion area. Figure 2 3 post a post, insert a picture in it, click Edit, and capture packets. Figure 3 4 modify the post Data Structure xss code figure 4 5 the space here will be automatically parsed, so do not add spaces during the construction. Figure 5 6. Use F12 to check whether the data has been successfully inserted. (In fact, you need to check whether the data can be inserted and whether the data has been filtered) figure 6 7 Code copied to the external txt file (do not directly read the file here for a newbie. Copy the file as HTML as it is parsed, 7. It looks like a normal post. Click it to find it. Figure 8 9


END
1. Test the address. Check the address and delete it. Malicious Code after http://fnms.dajie.com/fnms/discuss/topic/162281/detail 2 is constructed. 3. A domineering figure is provided. Currently, all nine vulnerabilities in street network are XSS! I am used to seeing the vulnerability of the vendor before digging a website. We hope that the street network can pay attention to security. 100% of the XSS vulnerabilities can be explained.Solution:

Filter