靶场环境
$ sudo docker pull blabla1337/owasp-skf-lab:xss-attribute
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:xss-attribute
XSS
想要下面的那句话变红,输入red
<center> <p style="font-size:2em;">
<div data-gb-custom-block data-tag="autoescape" data-0='false'><span style='color:{{xss}};' > Let me be a new color!</span></div>
</p></center>
查看源码可知,输入的内容是不会被转义的(详见Python-XSS)
指南中给出的payload是:red ' onm ouseover='alert(1337)'
当鼠标停留在段落上就会触发xss
(burp还没弄好,之后抓包看看内容)
标签:XSS,xss,Python,attribute,owasp,skf,Attribute From: https://www.cnblogs.com/smile2333/p/17065470.html