Vuln web for path based XSS testing

xss-vuln-web-v2.go

package main

import (
    "net/http"
    "time"
    "net/url"

    "github.com/labstack/echo"
    "github.com/tylerb/graceful"
)

func main() {
	e := echo.New()
	e.GET("/", func(c echo.Context) error {
		return c.String(http.StatusOK, "Hi wanda :D")
	})

	// Router & Handler
	e.GET("/xss/:name/1", func(c echo.Context) error {
		name,_ := url.QueryUnescape(c.Param("name"))
		return c.HTML(http.StatusOK, name)
	})
	e.GET("/xss/:name/2", func(c echo.Context) error {
		name,_ := url.QueryUnescape(c.Param("name"))
		response := "<script>\n  a = '"+name+"' \n</script>"
		return c.HTML(http.StatusOK, response)
	})
	e.GET("/xss/:name/3", func(c echo.Context) error {
		name,_ := url.QueryUnescape(c.Param("name"))
		response := "<div class='"+name+"'>abcd</div>"
		return c.HTML(http.StatusOK, response)
	})
	e.Server.Addr = ":8070"

	// Serve it like a boss
	graceful.ListenAndServe(e.Server, 5*time.Second)
}

xss-vuln-web.go

package main

import (
    "net/http"
    "time"
    "net/url"

    "github.com/labstack/echo"
    "github.com/tylerb/graceful"
)

func main() {
	e := echo.New()
	e.GET("/", func(c echo.Context) error {
		return c.String(http.StatusOK, "path base xss , vuln server :D")
	})

	// Router & Handler
	e.GET("/users/:name/1234", func(c echo.Context) error {
		name,_ := url.QueryUnescape(c.Param("name"))
		return c.HTML(http.StatusOK, name)
	})
	e.Server.Addr = ":8070"

	// Serve it like a boss
	graceful.ListenAndServe(e.Server, 5*time.Second)
}

Testing

http http://localhost:8070/users/ab-as\<br\>dfcd/1234         12:29:51 오전
HTTP/1.1 200 OK
Content-Length: 13
Content-Type: text/html; charset=UTF-8
Date: Sat, 06 Mar 2021 15:29:57 GMT

ab-as<br>dfcd