multipage 和 one-page 內容有出入
Auto Semicolon Insertion (ASI)
+-[(/
+ restricted productioncid:a=123
delete[this][0][attr] // euqal 'delete window.attr', [this] === [window]
//
/*
<!--
-->
#! aaaaa
eval("alert\u2029(1)")
Number::sameValueZero
Array.prototype.includes
[NaN].includes(NaN) // true
IsStrictlyEqual
regex global matching lastIndex,flag g
(global) and y
(sticky) is stateful
dot match behavior flag s
default
.
won't match below
U+000A LINE FEED (LF) ("\n")
U+000D CARRIAGE RETURN (CR) ("\r")
U+2028 LINE SEPARATOR
U+2029 PARAGRAPH SEPARATOR
Get the last matched string RegExp.$_
, RegExp.input
RegExp['$&']
, RegExp.lastMatch
Get the last parenthesized part RegExp['$+']
,RegExp.lastParen
Get left, right context of matched RegExp.['$`']
(left) RegExp.["$'"]
(right)
per line test flag m
ref
then
securitypolicyviolation
arguments.callee.caller.arguments
拿到外層函式的 arguments
"ß".toUpperCase() // "SS"
"İ".toLowerCase().length == 2
"ffi".toUppserCase() == 'FFI'
al\u0065rt(7122) // alert(7122)
al\u{65}rt(7122) // al\u{65}rt(7122)
document
<svg/onload=eval(URL)>
()+[]!
()[]{}+!
jjencode - Encode any JavaScript program using only symbols
[]()!+,\"$.:;_{}~=
aaencode - Encode any JavaScript program to Japanese style emoticons (_)
return
Error.prepareStackTrace
isNaN vs. Number.isNaN
Object.hasOwn [ES2022] vs. Object.prototype.hasOwnProperty
obj.hasOwnProperty('prop')
如果被覆蓋會出錯,用 Object.hasOwn(obj,'prop')
比較安全base64
=
後內容Buffer.from('Y\xff W..FhYWFhYgo= bbbb','base64').equals( Buffer.from('YWFhYWFhYgo','base64'))
new Function
裡需要使用 global.process.mainModule.constructor._load
來做 require
import
不在 global
裡,可繞過黑名單檢測vm
wrapSafe
''.constructor.constructor
module.require.main === process.mainModule
process.mainModule.require
module.constructor._load
module.constructor.Module._load
module.constructor.Module._cache
: 拿到載入的 user moduleusername=admin&password[password]=1
window
document.defaultView
指向 window
Node img
document.querySelector()
document.URL
document.cookie
document.domain
的檢查會被繞過(burpsuite 不允許)
https://www.cjis.ooo.
Host: www.cjis.ooo.
document.domain === 'www.cjis.ooo.'
window.open
https://blog.huli.tw/2022/04/07/iframe-and-window-open/
window.origin
會是原 window,載入後才改變browsing context
location.ancestorOrigins
__proto__[sitekey]
汙染 data-sitekey
IteratorClose
Error.prepareStackTrace
ownerDocument
or defaultView
to traverse any valueObject.prototype
or Array.prototype
for ... in
patternif require
after pp
=v15, set global variable for new require module via
contextExtensions
pp env : Abusing Environment Variables, HACKING WITH ENVIRONMENT VARIABLES, 我是如何利用环境变量注入执行任意命令
2022 June pp spawn options (commit) 和 contextExtensions (commit) 被修掉,至少要有 options 傳入,否則會被設為 kEmptyObject
$(document).off()
__proto__[sitekey]
,無效的 sitekey 也可以觸發DOMPurify.removed
可以拿到移除內容dompurify
trustedtype policya<style></style>
https://github.com/cure53/DOMPurify/issues/804allowUnknownMarkup=true
可以設置 data-* 和其他 atrributeqs
處理 query string 預設只會處理 1000 個, 傳送'?'+'a=b'*1000+'waf=aaa'
時 waf
不會在 req.query
裡 refexpress...
ref
window.open
page.goto
可以吃 javascript scheme,domain 是在當前頁面下Page.click()
實作上是計算座標後點擊,可被 click hijacking--disable-web-security
關掉 SOP 的話可以直接爆 port 存取file://
~/Downloads/xxxxx
ref https://mizu.re/post/intigriti-october-2023-xss-challenge