moneyslow.com

xss

1.Non-persistent XSS

便携a.php

<?php
$input = $_GET["param"];
echo "<div>".$input."</div>";
?>

访问 https://www.moneyslow.com/a.php?param=<script>alert(/xss/)</script>

2.DOM XSS

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script type="text/javascript">
function changeLink()
{
var str = document.getElementById("text").value;
document.getElementById("t").innerHTML="<a href='"+str+"' >testlink</a>";
}
</script>
</head>
<div id="t"></div>
<input type="text" id="text" value="" />
<input type="button" id="s" value="write" onclick="changeLink()" />
</html>

测试输入 ' onclick=alert(/xss) //

Exit mobile version