You can insert a 140-word code! You only need to change the case sensitivity of the tag to bypass detection!
The first connection address in the code will be changed! If you write two messages, you can also achieve the effect!
The vulnerability page exists on the personal homepage of the hacker! On the personal homepage, you can insert a 140-word code! However, the detection is very strict. There is a status in the sidebar of the home page that can make comments like anything you just talk about!
The xss vulnerability exists here. During the detection process of characters inserted, the status page can be bypassed by modifying the case and case. You can also insert 140 characters! Although the <a> tag will be added to the first connection, the <a> tag can be bypassed for those who are still competent in html!
The status in the status bar will be displayed on the personal homepage. If it is an xss code, it will also be executed!
The submitted code will be displayed in a <q> </q> label. Because this label has no effect on the code I wrote, I will not close it!
When I insert such a sentence <iframe src = "http://www.baidu"/>
This will be replaced by a forward slash.
<Iframe src = "" <a target = '_ blank' href = 'HTTP: // www.baidu.com '> Http: // www.baidu.com </a> "/>
We found that he added a <a> label to us where we wrote the connection so that our iframe could not load Baidu's page normally!
But we can write it like this. Don't forget we can write 140 words!
<IfRAmE Src = "<a target = '_ blank' href = 'HTTP: // www.baidu.com '> Http: // www.baidu.com </a> "Height =" 1px "width =" 1px "> s </ifRAmE> <ifRAmE Src =" Http: // www.baidu.com "height =" 200px "width =" 200px ">
Inserting such a piece of code will only destroy our first connection address. In order not to let the first tag affect the code behind us, then we close the previous one and then write our code behind it.!
In fact, we can write a little short before. I did this before, so I copied it directly!
If we write the code for calling external JS behind the </ifarme> label, let's change the iframe address to the address where we hung up! In addition, the connection of the cat Flutter can be opened after clicking the secure website on QQ and YY!
Hazards can be imagined!
Ps: After the code is inserted, everyone will have their own Homepage Address and copy it to others!
Solution:
In fact, the filtering of the posting status on their personal homepage has been very good!
However, it is almost no difficulty to switch to another topic and post an article with xss!
You can also copy the detection and processing code over there!