DOM destruction and reproduction experiment
2022-08-02 03:16:00 【orange oak】
DOM与windowThe quantum entanglement
举一个例子,给button的标签id设为btn,然后在script标签中使用window.btn来抓取id=btn的值.通过结果可以看到,window.btnIs the label all fetching out.
这个也就是DOM和windowThe quantum entanglement,也就是说:在HTMLSet in aidThe elements in the after,可以在jsIn the direct operation,并且由于jsThe scope of the rules,It also can be used directlybtn,Because if in the case of the current scope to find,He would have been to turn up for,直到找到为止.
并且在HTMLThere is a clear documentation of the notes has mentioned that the focus of the extracts from:
The selected location is the focus of the mentioned;总结来说就是**除了id可以直接使用windowAccess to outside;embed、form、img和objectThese four tags can also be usedname进行操作**也就是说可以使用HTMLThe elements to influencejs.
DOM Clobbering(DOM破坏)
What you just said利用HTMLElements to influence thejsThis is can be understood asDOM破坏.也就是通过DOMTo give something to override the method.
下面这个代码就是:如果你存在test1和test2这两个元素,Implementation of the two elements.But this is two elements,不是一个了.
if (window.test1.test2){
There are two problems with before that:
1.利用html标签的属性id,很容易在windowThe attribute of object created above any,But we can create a new attribute on the new object?也就是说不在window下创建,而是在form标签,pLabels to create.
2.怎样控制DOM elements被强制转为string之后的值,大多数的domNode is converted tostring后是[object HTMLInputElement].
首先,在js中,Each function has two methods almost,分别时valueof方法和tostring方法
valueof方法Returns the new object instance is the corresponding value of the type of the original
tostring方法Returns the corresponding string in the form of
对象的valueofThe method always returns the object itself,This time the call objecttostring方法,将它转换为字符串,比如说:
对象的tostringThe default return way is[object,Object].
But when we were in the test as you can see:
So its running result is plays the window,But returns are not twoobject,而是这样的,像一个字符串,But we are need to useeval执行的,Perform such arrays is meaningless.And need to perform a function.
The second problem for the above mentioned,有下面这样的代码,It can traversehtmlAnd check them all possible elements in thetostringMethods are inherited fromobject.prototypeOr in another way to define.
You can see it first return isarea,另一个是a标签.在a标签中tostring方法只返回一个href属性值.So just in front of the example of the solution is,For we have two of the sameid的值.分别是:
<a id =test1>click!</a>
<a id =test1>click2</a>
因为给的id的值都是相同的,So in the given value is the result of theHTMLCollection,And formed a similar to the appearance of the array.
也就是说.我们可以通过indexAs well as access to specific elements of theid,也就是说window.test1.test1Actually refers to the first element.同时,设置name属性也可以在htmlCollection中.
That is to say, in just the label in aname的属性.
<a id =test1>click!</a>
<a id =test1 name=test2>click2</a>
Its result will give out a label element so in.
Based on the above repetition experiment
下面代码是:首先截取#号后面的值,然后创建一个div,然后将#Behind the number value is assigned todiv,然后使用querySelectorAll选取div下所有的子元素;Then get child element properties,And will delete all attribute,But we at run time will find a problem.
const data = decodeURIComponent(location.hash.substr(1));
const root = document.createElement('div');
root.innerHTML = data;
for (let el of root.querySelectorAll('*')) {
for (let attr of el.attributes) {
我们明明输入的是:<img src=1 οnerrοr=alert(1)>,But it is only after the operation were deleted asrc,把onerror留了下来.
Here use debug method to check it every step of the run value.
We are now put a breakpoint on for (let el of root.querySelectorAll('*')) {
和for (let attr of el.attributes) {
这两行上,然后逐步往下走,Can see it in the right scopedata是:<img src=1 onerroe=alert(1)>
Then we will then go down.然后可以看到el获取的值是img,Also tell me about it have been successful to this tag.
然后接着继续走;然后attrGet to the first element:src,之后,It carried out the following removal operations.
Then according to the forecast should be to go back to tag matching elementsonerror然后进行删除,But when proceed to the next step,attrPick up to the value is empty,就直接跳出循环,直接结束.
According to our way of thinking in this should is right,但是,In the process of cycle,attrFirst match issrc元素,Then the loop after direct delete,删除了之后,The rest of the whatonerrorAutomatic moving forward,Like doing nucleic acid,Shoot the man in front of you because no wearing surgical masks were booted out,That is you want to go forward one to take its place.这个也是,onerror替代了srcIn the first place,It becomes the first,But when I was just cycle,Has already been the first to the loop,I'm going to cycle the next time it did not have the,So I will end of cycle.
So to solve this pass word is to disrupt the order of the elements,Let him according to his vulnerability after deleting the rest is all we need to be able to.
就是将srcElement wrote the first2为,After removing the first time it becomes first will be retained,然后将onerrorSave the fourth,So after deleting the first,The original third became the second,The fourth becomes the third,,After the second operation was deleted,The most open to becomes the fourth2位,But we have performed the second,So back didn't,He jumped out of the loop.
Due to loopholes in just the code is,所以进行了修改,分成了两个步骤,The first cycle are stored,The second loop to delete,To solve the problem of just.
const data = decodeURIComponent(location.hash.substr(1));;
const root = document.createElement('div');
root.innerHTML = data;
// 这里模拟了XSS过滤的过程,Method is to remove all properties,sanitizer
for (let el of root.querySelectorAll('*')) {
let attrs = [];
for (let attr of el.attributes) {
for (let name of attrs) {
This cycle is to filter out all the elements will be.
可以看到输入的<img src=1 οnerrοr=alert(1)>The inside of the element is gone,There are only aimg标签.
解决这个问题,We can from two directions to guide
1.Into the circulation but let him it's useless to delete the data
This approach can be used to just began to speak of theDOMDestroy the way to.
el执行的是attr,If there is an element can be hijacked this,Then delete, it is notatrBut the inside of the one child.
One example is now testing:
<form id="x"action="">
<img name="attributes">
Execute code above,The results can be printed out the entire label.
也就是说,这里的x是上面的el;插入一个form之后,这个elQuite so is equal to thisform的,而那个el.attributesQuite so whatimg.也就是让img进入循环,而在form中进行触发,Thus realized into circulation,But remove is useless labels.
You can use the approach that in test:
But it is results show:el.attributesNot an iterator,
Object iteration has a characteristic isfor循环,Now enter only one element,He is not the cycle of,So we need to he composed of an array or collection,
And just we just just said,如过idValues are the same words will form a collection,And this is just met just we need.So it can be written in the form below:
<form id="x"action="">
<img name="attributes">
<img name="attributes">
这样的话,imgLabel into the delete,这样的话我们formIt also lacks a trigger properties,而onfocusAttributes can trigger automatically,但是它不是form属性,而是input下面.我们也可以将img换成input,This can also meetnameThe same time will become a collection.
This solution also need automatic focusing,This time you need an automatic focusing properties.
tabindex:全局属性,以及它是否(在何处)In order the keyboard navigation.
加上tabindexThe attributes you can put the focused oninput上,否则onfoucus是没有办法实现的.
所以这样的话:We can try:
<form tabindex=1 onfoucus=“alert(1)” autofocus><input name=attributes><input name=attributes>
This is a successful jump out of the popup window,But because this is your mouse will automatically af,So would have been to play window,So we can remove him after it executes a success.
<form tabindex=1 onfoucus=“alert(1);this.remove.Attribute(‘onfocus’)” autofocus><input name=attributes><input name=attributes>
Here are using twosvg标签,也就是使用\<svg>\<svg onload=alert(1)>
To completely bypass the,It can be around before filtering code,也就是说,It's on the coderoot.innerHTML = data;
To explain this must first understand the following browser rendering process.
也就是在DOM树构建完成之后,会触发DOMContentLoaded事件,Will load the script or pictures,After completion of loading will trigger and do allload事件.
使用imgLabel the reason for failure is:When we use the breakpoint test,First filter to comment out first,Then we put a breakpoint onroot.innerHTML = data;上,And then, step by step test:
第一步:Go down when it is the first step to go directly to the end,但是imgLabel does not perform.
At the time of go down will performimgAnd you can play the window
也就是说,If combined with filtering,It is the first for loop filter can play a window,But after filtered child elements were filtered out.也就是说js阻塞了DOM树的构建;也可以说在script标签内的JS执行完毕以后,DOMThe tree would build complete,
而svgPerform is first;和imgTests the same way,In the same position a breakpoint test.
在 root.innerHTML = data;位置的时候,Go down to see it directly into thealert()然后弹窗.
点击下一步的时候,It will be directly into thealertAnd popup window.
这样的话,It has no was ready to play into the cycle to delete the window.Then go down even if be delete it has carried out for,So there is no need to.
也就是说,这种嵌套的svgThe reason is that when the page is successroot.innerHtmlWhen the browser into the assignmentDOM树构建过程;在这个过程中会Trigger the outermostsvg标签的load
事件,Finally successful execution code.
