XSS绕过WAF之on属性

2022-08-30 13:31:28 浏览数 (2)

日常测试的时候遇到的一个case,存在XSS漏洞,但是WAF把 onload,onerror,onstart等常用的on属性都过滤了。

通过搜索,找到一段遍历所有on属性的代码。

代码语言:javascript复制
let results = [] 
for (let i in document){ 
  if(i.startsWith("on")){ 
    results.push(i) 
  } 
} 
console.log(results) 
localStorage.onAttrs=JSON.stringify(results)
代码语言:javascript复制
["onreadystatechange","onpointerlockchange","onpointerlockerror","onbeforecopy","onbeforecut","onbeforepaste","onfreeze","onresume","onsearch","onvisibilitychange","onfullscreenchange","onfullscreenerror","onwebkitfullscreenchange","onwebkitfullscreenerror",
"onbeforexrselect","onabort","onblur","oncancel","oncanplay","oncanplaythrough","onchange","onclick","onclose","oncontextlost","oncontextmenu","oncontextrestored","oncuechange","ondblclick","ondrag","ondragend","ondragenter","ondragleave","ondragover",
"ondragstart","ondrop","ondurationchange","onemptied","onended","onerror","onfocus","onformdata","oninput","oninvalid","onkeydown","onkeypress","onkeyup","onload","onloadeddata","onloadedmetadata","onloadstart","onmousedown","onmouseenter","onmouseleave","onmousemove","onmouseout","onmouseover","onmouseup",
"onmousewheel","onpause","onplay","onplaying","onprogress","onratechange","onreset","onresize","onscroll","onsecuritypolicyviolation","onseeked","onseeking","onselect","onslotchange","onstalled","onsubmit","onsuspend","ontimeupdate","ontoggle","onvolumechange",
"onwaiting","onwebkitanimationend","onwebkitanimationiteration","onwebkitanimationstart","onwebkittransitionend","onwheel","onauxclick","ongotpointercapture","onlostpointercapture","onpointerdown","onpointermove","onpointerup","onpointercancel","onpointerover",
"onpointerout","onpointerenter","onpointerleave","onselectstart","onselectionchange","onanimationend","onanimationiteration","onanimationstart","ontransitionrun","ontransitionstart","ontransitionend","ontransitioncancel","oncopy","oncut","onpaste","onpointerrawupdate"]

on属性的相关利用方式:

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

0 人点赞