I was messing around with a filter that didn’t correctly filter attribute names and allowed a blank one which enabled me to bypass it. I thought maybe IE had similar issues when rewriting innerHTML. Yes it does of course
The filter bypass worked like this:
">
The filter incorrectly assumed it was still inside an attribute and therefore allowed raw html to be injected and the various browsers treat it as an invalid attribute and execute the script. I then decided to fuzz the attribute name to see what characters are allowed. IE of course proved to be interesting because two equals one as an attribute name created an invalid attribute.
I began to use my mXSS tool to see if I could find a new vector. Attribute names with equals seemed a good place to start. After various tests using multiple attributes and mixing quotes I found a vector using an equal after the tag name.
IE renders the entities inside the x attribute and therefore breaks out of the attribute when innerHTML is read. If you remove the equal after the tag name the vector no longer works so maybe the parser loses track of the character position or confuses itself which quotes the attribute is part of.
from: New IE mutation vector
文章来源于lcx.cc:New IE mutation vector
相关推荐: 俄罗斯黑客被曝潜伏Facebook,搭建蜜罐监视tor网络数据
你知道在互联网的黑暗角落有人正在监视你么?事实不是所有人都被监视。不过这次我们要黑的不是NSA不是Google也不是你的宽带服务商。这次的监视狂魔甚至不屑装出“我这么做是为你好呀”的嘴脸。欢迎来到下流的互联网:在俄罗斯的某处某些人时时刻刻都在监视你的一举一动。…
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论