Record several interesting XSS vulnerability discoveries

Link to the original text ：https://www.freebuf.com/articles/web/331671.html

Write down a few interesting XSS Vulnerability discovery

shit xiong 2022-04-29 08:41:48

35185

Remember several problems encountered in the process of digging a hole XSS Loophole , Three storage types XSS And a reflex type XSS, Mainly share ideas . Input controllable , And is output , Can be measured XSS.

*0x00 Login details +IP+XFF*

Log in and enter 【 Personal center 】, Find out 【 Login details 】 The function of , The login time is recorded IP These things .

Grab the login request package , structure X-Forwarded-For Head replay , Why , Simple splicing , Have the opportunity to .

Many applications have the option of logging in when users log in IP, you 're right , The first thought is to construct xff measuring sql Inject . Here we don't do anything about sql Injected analysis , Mainly dishes xiong Repeated tests have not been detected （ It doesn't matter to meditate ）.

Okay , Back to the point , Login details will be constructed by us xff Value echo , This must not be attempted xss. We cannot delete the record of login details , Avoid causing unnecessary trouble , There is no need to pop up windows here payload 了 , We use console.log(‘test’), The trigger effect is the console output log test.

The manufacturer fixed this vulnerability soon after it was submitted , It's really fast . The analysis found that the repair was done twice HTML escape , One incoming and one outgoing . In addition, the test screenshot before the repair can not be found , Here we can only use the repaired screenshot to analyze .

Before repair , The angle brackets have not been escaped to “ useless ” The characters of , Can trigger console log output .

Here's what was implanted before the repair payload, But the screenshot is fixed . The manufacturer repaired the input / output escape twice , But because of the following payload It was implanted before repair , There is no way to escape when entering , You can only escape the output .

The following is the implant after repair , The input and output are escaped twice , So what is displayed to users is like this .

Login success and failure are recorded , Then it proves that it is not self-xss.

*0x01 Chat box +img label + Picture address *

Find the input box , Input text test<>“” send out , Angle brackets double quotes are escaped , Try to bypass the fruitless .

Sending pictures , Find out content Parameter controllable picture address , Insert... In the address test<>"" A simple test , Found that angle brackets and double quotes in the picture address were not escaped , Construct the... Under the event xss Payload.

Successfully triggered , Ha ha ha . Actually here gif Emoticons can also trigger .

View the source code , Find out payload It has been successfully implanted .

payload Sent to the target , The target chat window also returns , Prove not to be self-xss.

*0x02 dynamic + Simple filtering + It is released in two times *

Can publish dynamic , direct , The press conference is directly replaced with empty .

In fact, this is just a front-end test , I believe all the masters can easily bypass , But here's another idea for me .

Try to publish in two times ,

Input and publish for the first time ：*/sole.log(1111);

The second input is published ：

Through here / notes / Annotate part of the page contents , Form an effective closure . However, this method is easy to make the page split , Use with caution , It is best not to use this method if it is not necessary . If the masters are sure to make notes and close , And there are ways to delete , You can still play , If it is not closed properly , Can't delete , It would be gg 了 .

xss Trigger successful .

*0x03 Search for +input label +hidden attribute *

This is a edu reflective xss, Use conditions are harsh , But it can be used to learn .

Search box , Input 1111<>“”, Return as follows , Review the source code again , Can't use .

Search for test<>“”‘’, Return as follows . Compare the , Search for existing and nonexistent , There is a big difference in return .

Review source code , It is found that the attribute value is closed by single quotation marks , And the single quotation mark is not escaped .

It must have been discovered by the masters ,input Sticky notes +hidden attribute .

First explore , autofocus Auto trigger event failed ,hidden Nor can it cover .

Let's take a look at what the online Master said , Reference link ：https://www.anquanke.com/post/id/148357

Search for ’ accesskey=‘X’ οnclick='alert(1) , firefox Alt+SHIFT+X Key Popup . So , Use conditions are harsh ......

Welcome to correct me , Or teach more experience .

The author of this article ： shit xiong, Please quote from FreeBuf.COM