官术网_书友最值得收藏!

XSS in Google Gruyere

This next part takes place on Google Gruyere, an XSS laboratory operated by Google that explains different aspects of XSS alongside appropriately vulnerable form input:

Google Gruyere is based loosely on a social network, such as Instagram or Twitter, where different users can share public snippets just like the former site's 280-word text blocks. Beyond the obvious, advertising of the service as being susceptible to XSS, there are small pieces of text, similar to what you'd find in real applications, hinting at areas of vulnerability. Some or limited support of HTML in a specific form is always a chance that the filters put in place by the site's developers to allow formatting markup, such as <p></p>, <b></b>, and <br/>, while keeping out scary stuff, such as <script></script>, will fail to sanitize your specially-crafted snippet.

Going through the submission form to create a New Snippet (after setting up an account), we can try to probe at the outer edges of the sanitizing process. Let's try using a script that even the most naive filter should capture:

<script>alert(1)</script>

A plain script tag, without any obfuscation, escape characters, or exotic attributes, is a pretty slow pitch, as follows:

When we look at the result of the submission, no alert() window is displayed and there's nothing to else to trigger the execution of the code, as follows:

The filter undoubtedly has some holes in it, but it does function at the most basic level by stripping out the <script> tags. Going through the XSS snippet lists we have in our Seclists repository, we find another one to try, ensuring the HTML tag is likely to be included in a form input meant to allow formatting code:

<a onmouseover="alert(document.cookie)">xxs link</a> 

document.cookie is a glimpse of our proposed attack scenario and a simple piece of data to surface via alert():

Going through the submission process again, we receive a different response. Success! Our strategy, using a boring formatting tag to Trojan-horse a malicious payload contained in its attribute, worked, and we now have a confirmed vulnerability to report:

主站蜘蛛池模板: 松潘县| 宣武区| 兖州市| 柘荣县| 商水县| 石泉县| 雷波县| 昌黎县| 扎兰屯市| 常宁市| 寻乌县| 克什克腾旗| 云和县| 赤城县| 延安市| 桂东县| 绿春县| 广河县| 江永县| 皋兰县| 阳信县| 黄大仙区| 佛教| 泰兴市| 理塘县| 泾川县| 巴彦淖尔市| 衡东县| 临邑县| 炎陵县| 晋宁县| 蓬溪县| 潞西市| 津南区| 黔南| 刚察县| 伊宁县| 临泽县| 洪泽县| 东阳市| 北川|