环境准备
测试
打开页面
输入正常值观察
一样的,用户名做了长度限制
更改后输入 HTML 标签语句测试
一样没有做过滤,接下来试试 JS 恶意代码
发现只剩下了 alert(/xss/),过滤掉了 关键字
再输入 测试</div><div style="text-align: center;"><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_f2b9f229077c4acc81c2fed1de5b6834.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div>发现咱们的猜测没错,可以试试双写或者大小写混淆</div><div><br /></div><div>关键字采用大小写混淆</div><div><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_e84d6a17e5fa401dba7f4950faccb9b4.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div><br /></div><div>成功</div><div style="text-align: center;"><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_dea9d762f11d48998e5f5f272825dcbb.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div> 双写被过滤的标签</div><div style="text-align: center;"><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_be91ad0bde084a4a914ad4463582f7a5.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div><br /></div><div>成功 </div><div><span data-card-type="inline" data-ready-card="image" data-card-value="data:%7B%22src%22%3A%22https%3A%2F%2Fucc.alicdn.com%2Fpic%2Fdeveloper-ecology%2Fvzmvmwcrnweq2_891072a190f94daba2c8a09cc011607f.png%22%2C%22originWidth%22%3A1920%2C%22originHeight%22%3A1080%2C%22size%22%3A0%2C%22display%22%3A%22inline%22%2C%22align%22%3A%22left%22%2C%22linkTarget%22%3A%22_blank%22%2C%22status%22%3A%22done%22%2C%22style%22%3A%22none%22%2C%22search%22%3A%22%22%2C%22margin%22%3A%7B%22top%22%3Afalse%2C%22bottom%22%3Afalse%7D%2C%22width%22%3A1200%2C%22height%22%3A675%7D"></span></div><div><br /></div></div>
