current position:Home>3-11xss htmlspecialchars bypass demo
3-11xss htmlspecialchars bypass demo
2022-04-29 11:43:30【Mountain Rabbit 1】
Our article , The way php A method used more in it , That's it htmlspecialchars() function
xss One of the key precautions , When we output , To escape the front-end entity
XSS Bypass - About htmlspecialchars() function
htmlspecialchars() Function to convert predefined characters to HTML Entity .
The predefined characters are :
& ( And no. ) Become &
" ( Double quotes ) Become "
' ( Single quotation marks ) Become '
< ( Less than ) Become <
> ( Greater than ) Become >
Available quote types :
ENT_COMPAT - Default . Code double quotes only .
ENT_QUOTES - Code double and single quotes .
ENT_NOQUOTES - No quotation marks are encoded .
$ok=htmlspecialchars($_GET['message'])
By default , Single quotes are not encoded , Because single quotes are not html Inside the front-end entity , A standard code , So , He won't handle single quotes , When our output point is special , Although we used htmlspecialchars() Handle , But there may still be xss Loophole
When repairing , If it is php Language , It involves such a method , Or other languages , We must find out , Whether this method is comprehensive enough , We choose ENT_QUOTES
Case presentation
Let's switch to xss And htmlspecialchars Inside the project , Or according to our previous conventional thinking ,
"'<>&1111
Let's take a look at the source code
We can see that the output point is in our ,a Labeled href Inside , We see a lot of... Here html Symbol of entity , in other words htmlspecialchars Will encode our relevant content , We can use double quotation marks , Left and right angle brackets ,& Are coded , Single quotation marks are not processed , This place uses the default htmlspecialchars To do back-end filtering , This is the time , We can construct a payload To filter ,
q' onclick='alert(111)'
Close the single quotation mark , Go back and lose one onclick, This onclick Can be executed , Because this single quotation mark is not processed , It is still a valid single quotation mark
We onclick once
This is an input to its back-end processing , We can look at the back-end code
It will process the accessed data , adopt htmlspecialchars Do the processing , After that , It's in a The label outputs ,
$message=htmlspecialchars($_GET['message']);
It uses the default method in this place , It does not specify a pair of single and double quotation marks after , We'll deal with everything , So , This is the problem
copyright notice
author[Mountain Rabbit 1],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204291021019715.html
The sidebar is recommended
- JavaScript functions -- pre parsing, Iife, advanced functions, recursion
- JavaScript object
- How to introduce element plus gracefully in vue3 project on demand
- Component slot Vue js
- How to write game interface style in HTML
- Ask some front-end questions.
- Information | driverless taxi has come to Beijing. Xiaoma Zhixing has been approved to carry out automatic driving service in Beijing
- [taro react] - H5 route configuration cancels # on the route
- Reverse advanced, using ast technology to restore JavaScript obfuscated code
- JavaScript object
guess what you like
Vue introduces vant / elementul
JavaScript queue“
Vue content summary
vue3. 0
Small tips: detection of JS font loading failure or completion
CSS is a box that has been climbing
Leetcode215 - the kth largest element in the array - quick sort - quick select - template
CSS adds effect to the four corners of div
HTTP error 500.19 internal server error occurred in the integration pageoffice of aspnetcore project,
Front end < TD > what is the word limit of the label
Random recommended
- Construction and development of automatic test platform based on HTTP runner
- Application of RT thread - use RT thread on stm32l051 (v. conclusion of wireless temperature and humidity sensor)
- Expose Dubbo to HTTP service
- Put the front end into the spring cloud project
- Front end learning day 4 - CSS
- Vue URL jump page with parameters
- JavaScript Chapter 13 traversal of arrays and implicit parameters of function methods
- These CSS efficiency improvement skills, you need to know!
- Beijing has opened the pilot of unmanned operation of passenger cars, and the driverless air outlet has arrived
- Test theory series - Test Case elements and design methods Part II
- How to make the peak value of measured output voltage not less than 2V
- Hexo quickly set up its own blog
- Gee synthetic cloudless landsat-8 and sentry-2 data
- Prototype object creation method case JavaScript specific implementation steps
- YAF CLI and HTTP access modes
- Simple HTML + CSS animation web page production DW simple animation web page production
- The correct way for web programmers to make a pink girl series happy birthday blessing web page (HTML + CSS + JS)
- HTML + CSS + JS to make simple animation web pages
- HTML gourmet web page production DW static web page production div + CSS gourmet web page implementation and production
- Programmer 520 Tanabata Valentine's Day confession code HTML + JS + CSS petal photo album web page template programmer confession necessary
- Element notify notification prompt text wrap
- Belkin: it's too early to talk about real wireless space charging
- JavaScript ES6 set (set) type* ω *
- Understand JavaScript function execution process and scope chain
- Java project: nursing home management system (java + springboot + thymeleaf + HTML + JS + MySQL)
- Java project: drug management system (java + springboot + HTML + layui + bootstrap + seals + MySQL)
- An error is reported when installing hexo during hexo deployment. What is the reason and how to solve it (tag git | keyword path)
- [front end basics] Linux command: Project Automation deployment
- Less than 100 or win Porsche, Maserati "special supply" 3.0T technical analysis
- Introduction to basic methods of math built-in objects in JavaScript
- CSS matches the nth element of the parent element
- What is the commercialization process of unmanned robotaxi after China allows driverless steering wheel?
- A lot of trouble, cook also worried: a quarter less than $8 billion
- Ajax realizes no refresh paging (no refresh paging shopping cart source code)
- [flutter topic] 101 what is flutter elements Yyds dry goods inventory
- What is the commercialization process of unmanned robotaxi after China allows driverless steering wheel?
- A lot of trouble, cook also worried: a quarter less than $8 billion
- Element acquisition of data structure c language sequence stack
- Set video label based on Vue
- CSS realizes div width adaptation, and the proportion of height and width is fixed