HTML 在这个 domxss.com 挑战中如何注入
[英]How is HTML injection possible in this domxss.com challenge
问题描述
OWASP's testing for HTML injection page ( link ) shows a particular code that is supposed to be vulnerable to HTML injection. 
OWASP 对 HTML 注入页面( 链接)的测试显示了一个特定的代码,该代码应该容易受到 HTML 注入的攻击。
<script src="../js/jquery-1.7.1.js"></script>
<script>
function setMessage(){
var t=location.hash.slice(1);
$("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
}
$(document).ready(setMessage );
$(window).bind("hashchange",setMessage)
</script>
<body>
<script src="../js/embed.js"></script>
<span><a href="#message" > Show Here</a><div id="message">Showing Message1</div></span>
<span><a href="#message1" > Show Here</a><div id="message1">Showing Message2</div>
<span><a href="#message2" > Show Here</a><div id="message2">Showing Message3</div>
</body>
This code is one of the challenges on ( domxss.com ) and I am unsure of how this is vulnerable.这段代码是 ( domxss.com ) 上的挑战之一,我不确定这有多脆弱。
From what I understand, the URL's hash can be used as an input and any change in the URL will trigger the setMessage function.据我了解,URL 的 hash 可以用作输入,并且 URL 中的任何更改都将触发setMessage function。 This URL hash will be my payload.这个 URL hash 将是我的有效载荷。 However, this payload is only being used as a selector in jQuery which is where I hit a wall.但是,此有效负载仅用作 jQuery 中的选择器,这是我碰壁的地方。
I am relatively new to XSS so any payloads will be appreciated.我对 XSS 比较陌生,所以任何有效载荷都会受到赞赏。 An explanation is obviously welcome.一个解释显然是受欢迎的。
Also, any resources to better understand HTML injection attacks via jQuery will be useful.此外,通过 jQuery 更好地了解 HTML 注入攻击的任何资源都将是有用的。
1 个解决方案
解决方案1
1 2021-11-20 18:41:28
Yes, very old versions of jQuery are vulnurable to XSS from a dynamic selector string.是的,非常旧的 jQuery 版本容易受到来自动态选择器字符串的 XSS 攻击。 See Bug # 11290 on jQuery's bug tracker - if formulated just right, the selector string can be accidentally interpreted as HTML.请参阅 jQuery 的错误跟踪器上的错误 #11290 - 如果制定得恰到好处,选择器字符串可能会意外地解释为 HTML。 If the selector string can be provided by the user, you could be in trouble.如果选择器字符串可以由用户提供,您可能会遇到麻烦。
For a minimal example:对于一个最小的例子:
$(`div[class='<img src="" onerror=alert("evil")>]`).text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
So, the original所以,原
$("div[id="+t+"]")
can be injected with such a t that results in arbitrary code running.可以注入这样的t导致任意代码运行。
const t = `'<img src="" onerror=alert("evil")>]`; $("div[id="+t+"]").text("The DOM is now loaded and can be manipulated.");
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
The bug was fixed 9 years ago, so unless you're deliberately using an ancient version of jQuery and never update your dependencies, it probably won't affect you.该错误已在 9 年前修复,因此除非您故意使用 jQuery 的旧版本并且从不更新您的依赖项,否则它可能不会影响您。
The bug was ultimate caused by an insufficiently strict regex.该错误最终是由不够严格的正则表达式引起的。 . .
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.