你可能需要html,css,javascript,正则表达式的知识,没有的赶紧学吧
之前在合天也做了一点实验总结什么的
跨站脚本攻击基础
XSS进阶一
XSS进阶二
XSS进阶三
challenge 0
function escape(s) {
// Warmup.
return '<script>console.log("'+s+'");</script>';
}
没有任何过滤,闭合双引号和括号就行");alert(1);("
");alert(1);//
challenge 1
function escape(s) {
// Escaping scheme courtesy of Adobe Systems, Inc.
s = s.replace(/"/g, '\\"');
return '<script>console.log("' + s + '");</script>';
}
可以看到这里使用了正则匹配,g是全局模式,就是找到了第一个后,继续向后找,直到找完,,将双引号替换为\",(代码中的\\第一个\对第二个\进行转义)challenge 2
function escape(s) {
s = JSON.stringify(s);
return '<script>console.log(' + s + ');</script>';
}
challenge 3
function escape(s) {
var url = 'javascript:console.log(' + JSON.stringify(s) + ')';
console.log(url);
var a = document.createElement('a');
a.href = url;
document.body.appendChild(a);
a.click();
}
这是将我们输入的构造成url,challenge 4
function escape(s) {
var text = s.replace(/</g, '<').replace('"', '"');
// URLs
text = text.replace(/(http:\/\/\S+)/g, '<a href="$1">$1</a>');
// [[img123|Description]]
text = text.replace(/\[\[(\w+)\|(.+?)\]\]/g, '<img alt="$2" src="$1.gif">');
return text;
}
首先要看懂正则表达式,赶紧学去吧
challenge 5
function escape(s) {
// Level 4 had a typo, thanks Alok.
// If your solution for 4 still works here, you can go back and get more points on level 4 now.
var text = s.replace(/</g, '<').replace(/"/g, '"');
// URLs
text = text.replace(/(http:\/\/\S+)/g, '<a href="$1">$1</a>');
// [[img123|Description]]
text = text.replace(/\[\[(\w+)\|(.+?)\]\]/g, '<img alt="$2" src="$1.gif">');
return text;
}
可以看到双引号改成g模式了challenge 6
function escape(s) {
// Slightly too lazy to make two input fields.
// Pass in something like "TextNode#foo"
var m = s.split(/#/);
// Only slightly contrived at this point.
var a = document.createElement('div');
a.appendChild(document['create'+m[0]].apply(document, m.slice(1)));
return a.innerHTML;
}
首先输入的以#分隔challenge 7
function escape(s) {
// Pass inn "callback#userdata"
var thing = s.split(/#/);
if (!/^[a-zA-Z\[\]']*$/.test(thing[0])) return 'Invalid callback';
var obj = {'userdata': thing[1] };
var json = JSON.stringify(obj).replace(/</g, '\\u003c');
return "<script>" + thing[0] + "(" + json +")</script>";
}
JSON.stringify(obj)会转移双引号,.replace(/</g, '\\u003c');这里的话会将”<“转化为unicode编码 \u003c