I haven't updated the article a few days ago because my blog was attacked. Today, I will update notes of levels 4-6 of the xss game.
Level 4
Just like the first few levels, first try it with <script> alert (1) </ script>, it is found that the title is escaped, but the angle brackets are only filtered in the input tag. This shows that there may be filtering.
Looking at the source code, I found that there is a filter here as I said, but here we can still use events to trigger pop-ups, so we avoid the use of angle brackets. Just like the level 3.
But one thing to note here is that the value is followed by double quotes, not single quotes like the level 3. Therefore, you need to use double quotes to close, construct the corresponding payload, and then use the corresponding comment to comment out the double quotes behind.
Level 5
When I use <script> alert (1) </ script> to test, script becomes scr_ipt, which is equivalent to adding an underscore, which limits our use of events and labels.
I tried on again, and it was separated into o_n, which prevented us from using events to trigger popups.
Look at the source code, and it turns out that the source code filters <script and on.
We already have a lesson in mind, so use the a tag here to filter the blacklist.
Level 6
Similarly, the input of <script> and on will be underlined, and then I open the source code and found that href, data, and src have also been manipulated.
However, we can still try other bypass methods, capital letters are used here.
comment