6.1 普通XSS漏洞自动化挖掘思路
6.1.1 URL上的玄机
6.1.2 HTML中的玄机
2.HTML标签之内
6.1.3 请求中的玄机
6.1.4 关于存储型XSS挖掘
6.2.1 HTML与JavaScript自解码机制
<input type="button" id="exec_btn" value="exec" onclick="document.write('<img src=@ οnerrοr=alert(123) >')"/>
function HtmlEncode(str) {var s = "";if (str.length == 0) return "";s = str.replace(/&/g, "&");s = str.replace(/</g, "<");s = s.replace(/>/g, ">");s = s.replace(/\"/g, """);return s;}
<input type="button" id="exec_btn" value="exec" onclick="document.write(HtmlEncode('<img src=@ οnerrοr=alert(123) >'))">
<input type="button" id="exec_btn" value="exec" /></body> <script>function $(id) {return document.getElementById(id);}$("exec_btn").onclick = function () {document.write('<img src=@ οnerrοr=alert(1231)/>');// document.write('<img src=@ οnerrοr=alert(1231)/>'); } </script>
6.2.2 具备HtmlEncode功能的标签
<body> <input type="button" id="exec_btn" value="exec" onclick="$('i1').innerHTML='<img src=@ οnerrοr=alert(123) />';alert($('i1').innerHTML);"/><input type="button" id="exec2_btn" value="exec2" onclick="$('i2').innerHTML='<img src=@ οnerrοr=alert(123) />';alert($('i2').innerHTML);"/><textarea id="i1" style="width:600px;height:300px;"></textarea><div id="i2"></div> </body> <script>function $(id){return document.getElementById(id);} </script>
function HTMLEncode(s){var html="";var safeNode=document.createElement("TEXTAREA");if(safeNode){safeNode.innerText=s;html=safeNode.innerHTML;safeNode=null;}return html;}var tmp="<iframe src=https://baidu.com>";alert(HTMLEncode(tmp));
6.2.3 URL编码差异
6.3 DOM XSS挖掘
6.3.1 静态方法
https://code.google.com/archive/p/domxsswiki/wikis/FindingDOMXSS.wiki
//Finding Sources//The following regular expression attempts to match most common DOMXSS sources (BETA):/(location\s*[\[.])|([.\[]\s*["']?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database)///Finding Sinks//The following regular expression attempts to match most //common DOMXSS sinks (BETA):/((src|href|data|location|code|value|action)\s*["'\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*["'\]]*\s*\()///This regular expression finds sinks based on jQuery, it also finds //the $ function, which is not always insecure:/after\(|\.append\(|\.before\(|\.html\(|\.prepend\(|\.replaceWith\(|\.wrap\(|\.wrapAll\(|\$\(|\.globalEval\(|\.add\(|jQUery\(|\$\(|\.parseHTML\(/
6.3.2 动态方法
6.5 字符集缺陷导致的XSS
6.5.1 宽字节编码带来的安全问题
6.5.2 UTF-7问题
6.6 绕过浏览器XSS Filter
6.6.1 响应头CRLF注入绕过
6.6.2 针对同域的白名单
6.6.3 场景依赖性高的绕过
6.7 混淆的代码
6.7.1 浏览器的进制常识
var Code = {};Code.encode = function (str, jinzhi, left, right, digit) {left = left || "";right = right || "";digit = digit || "";var ret = "",bu = 0;for (var i = 0; i < str.length; i++) {s = str.charCodeAt(i).toString(jinzhi);bu = digit - String(s).length + 1;if (bu < 1) bu = 0;ret += left + new Array(bu).join("0") + s + right;}return ret;}Code.decode=function(str,zhijin,for_split,for_replace){if(for_replace){var re=new RegExp(for_replace,"g");str=str.replace(re,'');}var arr_s=str.split(for_split);var ret="";for(i=0;i<arr_s.length;i++){if(arr_s[i]) ret+=String.fromCharCode(parseInt(arr_s[i],jinzhi));}return ret;}
6.7.2 浏览器的编码常识
6.7.3 HTML中的代码注入技巧