Medium 级别存储型 XSS 演示(附链接)

简介: Medium 级别存储型 XSS 演示(附链接)

环境准备


测试

打开页面

输入正常值观察

一样的,用户名做了长度限制

更改后输入 HTML 标签语句测试


一样没有做过滤,接下来试试 JS 恶意代码

发现只剩下了 alert(/xss/),过滤掉了  关键字

再输入  测试</div><div style="text-align: center;"><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_f2b9f229077c4acc81c2fed1de5b6834.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div>发现咱们的猜测没错,可以试试双写或者大小写混淆</div><div><br /></div><div>关键字采用大小写混淆</div><div><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_e84d6a17e5fa401dba7f4950faccb9b4.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div><br /></div><div>成功</div><div style="text-align: center;"><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_dea9d762f11d48998e5f5f272825dcbb.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div> 双写被过滤的标签</div><div style="text-align: center;"><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_be91ad0bde084a4a914ad4463582f7a5.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div><br /></div><div>成功 </div><div><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_891072a190f94daba2c8a09cc011607f.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div><br /></div></div>

相关文章
|
6月前
|
JavaScript
High 级别 DOM 型 XSS 演示(附链接)
High 级别 DOM 型 XSS 演示(附链接)
|
6月前
|
存储 JavaScript 前端开发
High 级别存储型 XSS 演示(附链接)
High 级别存储型 XSS 演示(附链接)
|
6月前
|
存储 前端开发 JavaScript
Low 级别存储型 XSS 演示(附链接)
Low 级别存储型 XSS 演示(附链接)
|
6月前
|
JavaScript
Medium 级别 DOM 型 XSS 演示(附链接)
Medium 级别 DOM 型 XSS 演示(附链接)
|
6月前
|
JavaScript
Low 级别 DOM 型 XSS 演示(附链接)
Low 级别 DOM 型 XSS 演示(附链接)
|
6月前
|
JavaScript 前端开发
High 级别反射型 XSS 演示(附链接)
High 级别反射型 XSS 演示(附链接)
|
4月前
|
存储 安全 JavaScript
手摸手带你进行XSS攻击与防御
当谈到网络安全和信息安全时,跨站脚本攻击(XSS)是一个不可忽视的威胁。现在大家使用邮箱进行用户认证比较多,如果黑客利用XSS攻陷了用户的邮箱,拿到了cookie那么就可以冒充你进行收发邮件,那真就太可怕了,通过邮箱验证进行其他各种网站的登录与高危操作。 那么今天,本文将带大家深入了解XSS攻击与对应的防御措施。
|
3天前
|
安全 前端开发 Java
Web安全进阶:XSS与CSRF攻击防御策略深度解析
【10月更文挑战第26天】Web安全是现代软件开发的重要领域,本文深入探讨了XSS和CSRF两种常见攻击的原理及防御策略。针对XSS,介绍了输入验证与转义、使用CSP、WAF、HTTP-only Cookie和代码审查等方法。对于CSRF,提出了启用CSRF保护、设置CSRF Token、使用HTTPS、二次验证和用户教育等措施。通过这些策略,开发者可以构建更安全的Web应用。
20 4
|
2天前
|
安全 Go PHP
Web安全进阶:XSS与CSRF攻击防御策略深度解析
【10月更文挑战第27天】本文深入解析了Web安全中的XSS和CSRF攻击防御策略。针对XSS,介绍了输入验证与净化、内容安全策略(CSP)和HTTP头部安全配置;针对CSRF,提出了使用CSRF令牌、验证HTTP请求头、限制同源策略和双重提交Cookie等方法,帮助开发者有效保护网站和用户数据安全。
12 2
|
4天前
|
存储 安全 Go
Web安全基础:防范XSS与CSRF攻击的方法
【10月更文挑战第25天】Web安全是互联网应用开发中的重要环节。本文通过具体案例分析了跨站脚本攻击(XSS)和跨站请求伪造(CSRF)的原理及防范方法,包括服务器端数据过滤、使用Content Security Policy (CSP)、添加CSRF令牌等措施,帮助开发者构建更安全的Web应用。
23 3