### 简要描述:
需要主动触发。
### 详细说明:
http://www.hr135.com/ask/index.php
测试地址:http://www.hr135.com/ask/index.php?c=content&id=162
[<img src="https://images.seebug.org/upload/201408/110012500b0e8fb000e05f7b8bf74bfaeb2a6b33.jpg" alt="360截图20140811000124015.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/110012500b0e8fb000e05f7b8bf74bfaeb2a6b33.jpg)
超级链接写入:javasc
ript:al
ert(1)
&NewLine是HTML5新增的实体命名编码
[<img src="https://images.seebug.org/upload/201408/11001436f6bbea046c3b2c6a698b9cda7504c987.jpg" alt="360截图20140811000153296.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/11001436f6bbea046c3b2c6a698b9cda7504c987.jpg)
firebug之类工具修改链接名称增加欺骗性
[<img src="https://images.seebug.org/upload/201408/11001536ba342a29a14429305a6bf6a67cf7f6d7.jpg" alt="360截图20140811000226250.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/11001536ba342a29a14429305a6bf6a67cf7f6d7.jpg)
成功触发JS
使用追问功能再次添加超级链接:javasc
ript:al
ert(doc
ument.coo
kie
成功弹出cookie
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201408/11001757e22de4fcda921a560ca7c7b1bbb2e55e.jpg" alt="360截图20140811001739156.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/11001757e22de4fcda921a560ca7c7b1bbb2e55e.jpg)
京公网安备 11010502034610号
暂无评论