1.Non-persistent XSS
便携a.php
<?php
$input = $_GET[“param”];
echo “<div>”.$input.”</div>”;
?>
访问 https://www.moneyslow.com/a.php?param=<script>alert(/xss/)</script>
2.DOM XSS
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″>
<script type=”text/javascript”>
function changeLink()
{
var str = document.getElementById(“text”).value;
document.getElementById(“t”).innerHTML=”<a href='”+str+”‘ >testlink</a>”;
}
</script>
</head>
<div id=”t”></div>
<input type=”text” id=”text” value=”” />
<input type=”button” id=”s” value=”write” onclick=”changeLink()” />
</html>
测试输入 ‘ onclick=alert(/xss) //