banner
osuni

osuni

HomeArchives

XSS-LABS (to be updated)

#Web59
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This is a tutorial on how to perform XSS attacks on different levels of a website. The tutorial provides examples of how to modify parameters to insert malicious code and bypass encoding functions. The goal is to execute JavaScript code and display an alert message. The tutorial also explains the use of the onfocus event to trigger the execution of code. The different levels of the tutorial have different challenges and require different techniques to succeed.

Level 1#

Carefully observe, by modifying the value of the name parameter, it can be found that the value of name is displayed on the page, and the character length of the value is also displayed. The insertion is located inside the <h2> tag.

<h2><h2/>

So, let's try to create a popup.

<script>alert('xss')</script>

A popup will appear.

Reflected XSS#

Level 2#

Enter Level 2, using GET parameters.
Looking at the source code, it can be seen that the content of the search box is submitted to level2.php using the GET method. After being processed by the server, the value of the parameter is inserted into the <h2> tag and added to the value attribute of the input.
When entering malicious code, an error occurs.
Looking at the page source code, it is found that the malicious code in the <h2> tag is encoded.
Looking at the server-side source code,

<h2 align=center>没有找到和&lt;script&gt;alert('xss')&lt;/script&gt;相关的结果.</h2><center>

<input name=keyword value="<script>alert('xss')</script>">

It is found that the htmlspecialchars function is used to process the keyword parameter.
Based on observation, the JavaScript code is inside the tag attribute, so we can only consider how to execute malicious code within the attribute value.
To execute, we can manipulate the quotes and close the tag.

Payload: "><script>alert('xss')</script>//

<input name=keyword value=""><script>alert('xss')</script>//

Level 3#

Using the above method did not succeed.
Looking at the page source code,
At this point, the malicious code in the <h2> tag and the value are encoded, indicating that both parameters are likely processed using the htmlspecialchars() function.

<h2 align=center>没有找到和&quot;&gt;&lt;script&gt;alert('xss')&lt;/script&gt;//相关的结果.</h2><center>

<input name=keyword value='&quot;&gt;&lt;script&gt;alert('xss')&lt;/script&gt;//'>

Therefore, consider the special nature of the onfocus event.

Payload: 'onfocus=javascript:alert('xss') > //

<input name=keyword  value=''onfocus=javascript:alert('xss') &gt;'>

I don't understand much, let's see how it is explained online.

The simplest example is an input box on a webpage. When the input box is clicked with the mouse, the input box is selected and can be entered. This is when the input box gains focus, and the onfocus event of the input box is triggered. Therefore, clicking on the input box on the current page can trigger a popup.

Less 4#

Let's try something simple.

<h2 align=center>没有找到和&lt;script&gt;alert('xss')&lt;/script&gt;相关的结果.</h2><center>

<input name=keyword  value="scriptalert('xss')/script">

The <h2> tag is encoded, and the value ' < ' and ' > ' are removed.
Let's try the method from Less 3, but it doesn't work.
Upon careful consideration, it is found that the difference between Less 3 and Less 4 lies in the single quotes (') and double quotes (") after value=.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.