1, Add the following statement one by one after the input parameters, Take the first example, enter Http://www.exmaple.com/page.xxx?name=<script>alert (123456) </script> as long as one of the pop-up display 123456 alarm box, This means that there is a cross-site vulnerability, logging the vulnerability, and stopping the test. 2, If no alarm box appears with 123456, right-click on the Returned page, select View Source file 3, Find the full string in the page source file <script>alert (123456) </script>, a cross-site scripting vulnerability exists regardless of whether there is a pop-up display of 123456 warning box. 4, because some HTML elements (such as <textarea> or ") will affect the execution of the script, so does not necessarily be able to correctly pop up the 123456 alarm box, you need to return to the page source file content, the value of the construction value, such as </textarea><script>alert (123456) </script> ' ><script>alert (123456) </script> "><script>alert (123456) </script> </ Title><script>alert (123456) </script> --><script>alert (123456) </script> [ Img]javascript:alert (123456) [/img] <scrip<script>t>alert (123456) </scrip</script>t> </div><script>alert (123456) </script> |