我'm making a CTF, which is a competition where you have to get a flag using certain methods. I'正在研究一个问题,他们通过使用XSS提醒javascript变量来获取标志 . 但是,XSS并不安全,我不能让他们这么做 . My question is: Is it possible to defend against bad attacks but allow some attacks so that my CTF problem is successful. 我想留下的一些输入就像 alert(flag)
我的HTML代码是:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO"
crossorigin="anonymous">
<!--<link rel="stylesheet" href="css/challenge.css">-->
</head>
<body>
<input type="text" id="text"/>
<button class="btn btn-primary submitButton"></button>
<p id="result">Result</p>
<script>
var flag;
$.get("[website]/cgi-bin/challenge.py", function(data) {
flag = data;
});
var value;
$(".submitButton").on("click", function() {
value = $("#text").val();
$("#result").html(value);
});
</script>
<script src="http://code.jquery.com/jquery-3.3.1.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8="
crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js" integrity="sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy"
crossorigin="anonymous"></script>
</body>
</html>
$.get() 只是从python文件中获取类似 "text" 的字符串,并将其存储在变量标志中 . 我用[网站]取代了实际的网站 . 如果有必要,我可以把网站放回去 .