官术网_书友最值得收藏!

XSS in Google Gruyere

This next part takes place on Google Gruyere, an XSS laboratory operated by Google that explains different aspects of XSS alongside appropriately vulnerable form input:

Google Gruyere is based loosely on a social network, such as Instagram or Twitter, where different users can share public snippets just like the former site's 280-word text blocks. Beyond the obvious, advertising of the service as being susceptible to XSS, there are small pieces of text, similar to what you'd find in real applications, hinting at areas of vulnerability. Some or limited support of HTML in a specific form is always a chance that the filters put in place by the site's developers to allow formatting markup, such as <p></p>, <b></b>, and <br/>, while keeping out scary stuff, such as <script></script>, will fail to sanitize your specially-crafted snippet.

Going through the submission form to create a New Snippet (after setting up an account), we can try to probe at the outer edges of the sanitizing process. Let's try using a script that even the most naive filter should capture:

<script>alert(1)</script>

A plain script tag, without any obfuscation, escape characters, or exotic attributes, is a pretty slow pitch, as follows:

When we look at the result of the submission, no alert() window is displayed and there's nothing to else to trigger the execution of the code, as follows:

The filter undoubtedly has some holes in it, but it does function at the most basic level by stripping out the <script> tags. Going through the XSS snippet lists we have in our Seclists repository, we find another one to try, ensuring the HTML tag is likely to be included in a form input meant to allow formatting code:

<a onmouseover="alert(document.cookie)">xxs link</a> 

document.cookie is a glimpse of our proposed attack scenario and a simple piece of data to surface via alert():

Going through the submission process again, we receive a different response. Success! Our strategy, using a boring formatting tag to Trojan-horse a malicious payload contained in its attribute, worked, and we now have a confirmed vulnerability to report:

主站蜘蛛池模板: 永定县| 克什克腾旗| 石首市| 沙雅县| 郴州市| 阜新| 长沙市| 专栏| 小金县| 泗水县| 青河县| 霞浦县| 新宁县| 晋州市| 绥滨县| 于都县| 康马县| 朔州市| 霍林郭勒市| 新建县| 上高县| 洞头县| 黄冈市| 璧山县| 桃江县| 宜昌市| 武宣县| 随州市| 绵竹市| 沾化县| 通化市| 两当县| 班玛县| 衡东县| 大丰市| 交城县| 屏边| 六枝特区| 乐山市| 怀化市| 永吉县|