XSS(Reflected)
interface
Source code
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
Code analysis
The array_key_exists function checks whether there is a parameter named "name" in the Get parameter, and judges whether the name is empty. If it exists and is not empty, print: Hello name. It can be seen that the legality of the value of name has not been judged, and the name parameter can be constructed to perform xss.
Infiltration step
Step 1: Enter: in the input field, click submit, you can see the pop-up window.
