想给w13scan加入这个功能,快要下班了,就写篇文章简单说下目前的研究进展。
起先想法很简单,通过一个敏感函数触发点回溯分析到能够利用的参数,目前写下来,解决最大的就是一些编程问题,没什么特别的算法,就是简单的设计了一下能够直接操纵语法树的数据结构。后面就是针对js编写的各种情况来做判断,写规则。
这么说起来似乎很容易,最大的门槛在于你不知道程序员会写出什么代码,所以这方面的样本很少。
要下班了,放一个我写的测试用例吧。
#!/usr/bin/env python3# -*- coding: utf-8 -*-# @Time : 2019/8/21 4:56 PM# @Author : w8ay# @File : test_js.pyimport unittestfrom js_parse import Domxssclass TestCase(unittest.TestCase):def setUp(self):self.sink = {"type": "MemberExpression","object": {"type": "Identifier","name": "document"},"property": {"type": "Identifier","name": "write"}}self.source = {"type": "MemberExpression","object": {"type": "Identifier","name": "location"},"property": {"type": "Identifier","name": "hash"}}def tearDown(self):passdef test_test00(self):test_00 = '''document.write(location.hash.split("#")[1]);'''xss = Domxss(test_00)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test01(self):test_01 = '''var param = location.hash.split("#")[1];document.write("Hello " + param + "!");'''xss = Domxss(test_01)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test02(self):test_02 = '''var custoom = location.hash.split("#")[1];var param = " custoom:" + custoom;document.write("Hello " + param + "!");'''xss = Domxss(test_02)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test03(self):test_03 = '''var custoom = location.hash.split("#")[1];var custoom1 = '';var param = '';param = " custoom:" + custoom;param = param.replace('<','');param = param.replace('"','');document.write("Hello " + param + "!");'''xss = Domxss(test_03)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test04(self):test_04 = '''var param = location.hash.split("#")[1];var d = document.createElement('div');d.innerHTML = param;document.write(d);'''xss = Domxss(test_04)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test05(self):test_05 = '''var param = location.hash.split("#")[1];if (param){var d = document.createElement('div');d.innerHTML = param;if (document.body != null){document.write(d);}}else{document.write('no content');}'''xss = Domxss(test_05)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test06(self):test_06 = '''function get(){let params = location.hash.split("#")[1];return params;}let param = get();document.write("Hello " + param + "!");'''xss = Domxss(test_06)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test07(self):test_07 = '''function go(){let param = get();document.write("Hello " + param + "!");}function get(){let params = location.hash.split("#")[1];let a = 0;return a;}go();'''xss = Domxss(test_07)xss.set(self.sink, None, self.source)self.assertFalse(xss.exploit())def test_test08(self):test_08 = '''function xyz(asia){return asia;}mango = location.hash.split('#')[1]document.write(xyz(mango));'''xss = Domxss(test_08)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test09(self):test_09 = '''function timedMsg(abc,callback){document.write(callback);}var call = location.hash.split("#")[1];timedMsg("123",call);'''xss = Domxss(test_09)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test10(self):test_10 = '''function timedMsg(abc,callback){document.write(callback);}var call = location.hash.split("#")[1];var check=111;check = timedMsg;check("123",call);'''xss = Domxss(test_10)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())def test_test11(self):test_11 = '''function apply(abc,callback){return document.write(callback);}var call = location.hash.split("#")[1];apply("123",call);'''xss = Domxss(test_11)xss.set(self.sink, None, self.source)self.assertTrue(xss.exploit())
目前11个测试用例已经都能跑成功了,在放张程序截图,这是针对测试用例11的运行截图
后面将输入的信息改成人能读懂的语言,xss扫描第一版本就要发布了~
本文始发于微信公众号(Hacking就是好玩):基于JS语义分析的Dom-XSS自动化研究
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论