portswigger靶场XSS攻击实验(XSS attack experiment in portswigger range)

portswigger靶场XSS攻击实验

实验一、没有任何编码的反射型XSS

靶场

html-context-nothing-encoded

说明

This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.

To solve the lab, perform a cross-site scripting attack that calls the alert function.

题解

直接构造最简单的XSS payload

<script>alert%28%29<%2Fscript>

实验二、没有任何编码的存储型XSS

靶场

html-context-nothing-encoded

说明

This lab contains a stored cross-site scripting vulnerability in the comment functionality.

To solve this lab, submit a comment that calls the alert function when the blog post is viewed.

题解

在博客留言下插入最简单的XSS playload,当文章页面时存储型xss就会发挥作用

<script>alert()</script>

实验三、从url获取参数写入DOM的DOM型XSS

使用location.search获得参数、使用document.write重新构建DOM的DOM型XSS

靶场

document-write-sink

说明

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

题解

发现用户输入的搜索内容在js代码中会拼接到img标签的src属性中插入DOM节点,使用”闭合src属性,使用>闭合img标签,插入xss代码

search="><script>alert()</script>

实验四、从url获取参数写入innerHtml的DOM型XSS

靶场

innerhtml-sink

说明

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

题解

修改innerHtml时如果直接使用script标签插入xss代码不会自动执行,使用img标签的oerrer事件自动执行xss代码

<img src=2 onerror=alert()>

实验五、使用jQuery选择器修改元素属性的DOM型XSS

靶场

jquery-href-attribute-sink

说明

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.

To solve this lab, make the "back" link alert document.cookie.

题解

进入Submit feedback页面,发现back按钮是一个a标签,其herf属性是通过js从url的returnPath属性中获取的,修改url,让xss代码自动执行

?returnPath=javascript:alert()

实验六、在jQuery选择器中使用hashchange事件的DOM型XSS

靶场

jquery-selector-hash-change-event

说明

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

题解

本题没做懂,查看js源代码发现当页面hash值变化时,从页面数据中获取属性值作为jQuery选择器的值,获取到元素后滚动页面到元素,在服务器修改body值并发送数据包到客户端,可以造成页面hash值变化,触发XSS攻击执行print()函数

(官解)在服务器中修改body

<iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>

实验七、带尖括号编码的反射型XSS

靶场

attribute-angle-brackets-html-encoded

说明

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

题解

本题对尖括号做了编码,观察页面,文本框输入的内容作为input标签的value属性值,使用双引号闭合value属性值,创建鼠标移动事件执行XSS代码,并闭合后面的双引号避免报错

" onmouseover=alert() a="

实验八、带双引号编码的herf属性存储型XSS

靶场

href-attribute-double-quotes-html-encoded

说明

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

题解

在博客评论中输入的网址会成为a标签herf属性的值

Website:

javascript:alert()

实验九、在js字符串中带尖括号编码的反射型XSS

靶场

javascript-string-angle-brackets-html-encoded

说明

This lab contains a reflected cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/reflected) vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the `alert` function.

题解

观察页面js代码,使用’闭合字符串,构造新的js语句

';alert();'

实验十、在select元素中的DOM型XSS

靶场

document-write-sink-inside-select-element

说明

This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element.

To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function.

题解

观察js代码,接收url中的storeId参数添加到dom中,构造xss代码

storeId=<script>alert()</script>

实验十一、在AngularJS中带尖括号和双引号HTML编码的DOM型XSS

靶场

angularjs-expression

说明

This lab contains a [DOM-based cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/dom-based) vulnerability in a [AngularJS](https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox) expression within the search functionality.

AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the `ng-app` attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces. This technique is useful when angle brackets are being encoded.

To solve this lab, perform a [cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) attack that executes an AngularJS expression and calls the `alert` function.

题解

AngularJS中使用双括号执行js脚本,constructor构造函数

{{$on.constructor('alert(1)')()}}

实验十二、反射型DOM XSS

靶场

dom-xss-reflected

说明

This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.

To solve this lab, create an injection that calls the alert() function.

题解

首先在搜索框中提交搜索,观察页面源代码,在searchResults.js中当接收到服务器响应时执行一个匿名函数

在此函数中eval(‘var searchResultsObj = ‘ + this.responseText)使用了eval函数,将响应的数据拼接字符串后执行

————————

portswigger靶场XSS攻击实验

Experiment 1: reflective XSS without any coding

shooting range

html-context-nothing-encoded

explain

This lab contains a simple reflected cross-site scripting vulnerability in the search functionality.

To solve the lab, perform a cross-site scripting attack that calls the alert function.

Problem solution

Directly construct the simplest XSS payload

<script>alert%28%29<%2Fscript>

Experiment 2: storage XSS without any coding

shooting range

html-context-nothing-encoded

explain

This lab contains a stored cross-site scripting vulnerability in the comment functionality.

To solve this lab, submit a comment that calls the alert function when the blog post is viewed.

Problem solution

Insert the simplest XSS payload under the blog message, and the stored XSS will play a role when the article page

<script>alert()</script>

Experiment 3: get parameters from URL and write DOM XSS

Use location Search to obtain parameters and use document Write DOM type XSS for rebuilding DOM

shooting range

document-write-sink

explain

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

Problem solution

It is found that the search content entered by the user will be spliced into the SRC attribute of img tag in JS code. Insert DOM node, use “close SRC attribute”, use & gt; close img tag, and insert XSS code

search="><script>alert()</script>

实验四、从url获取参数写入innerHtml的DOM型XSS

shooting range

innerhtml-sink

explain

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

Problem solution

When modifying innerHTML, if you directly insert XSS code with script tag, it will not be executed automatically. Use oerrer event of img tag to execute XSS code automatically

<img src=2 onerror=alert()>

Experiment 5: DOM XSS using jQuery selector to modify element attributes

shooting range

jquery-href-attribute-sink

explain

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.

To solve this lab, make the "back" link alert document.cookie.

Problem solution

Enter the submit feedback page and find that the back button is an a tag. Its herf attribute is obtained from the returnpath attribute of the URL through JS. Modify the URL and let the XSS code execute automatically

?returnPath=javascript:alert()

实验六、在jQuery选择器中使用hashchange事件的DOM型XSS

shooting range

jquery-selector-hash-change-event

explain

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

Problem solution

I didn’t understand this question. Looking at the JS source code, I found that when the page hash value changes, I get the attribute value from the page data as the value of the jQuery selector, scroll the page to the element after getting the element, modify the body value on the server and send the data packet to the client, which can cause the page hash value to change and trigger the XSS attack to execute the print() function

(official interpretation) modify the body in the server

<iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>

Experiment 7. Reflective XSS with angle bracket encoding

shooting range

attribute-angle-brackets-html-encoded

explain

This lab contains a reflected cross-site scripting vulnerability in the search blog functionality where angle brackets are HTML-encoded. To solve this lab, perform a cross-site scripting attack that injects an attribute and calls the alert function.

Problem solution

This topic encodes the angle brackets, observes the page, and takes the content entered in the text box as the value attribute value of the input tag. Use double quotation marks to close the value attribute value, create a mouse movement event, execute XSS code, and close the following double quotation marks to avoid error reporting

" onmouseover=alert() a="

Experiment 8. Herf attribute storage XSS with double quotation mark encoding

shooting range

href-attribute-double-quotes-html-encoded

explain

This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the comment author name is clicked.

Problem solution

The URL entered in the blog comment will become the value of the herf attribute of the a tag

Website:

javascript:alert()

Experiment 9: reflective XSS encoded with angle brackets in JS string

shooting range

javascript-string-angle-brackets-html-encoded

explain

This lab contains a reflected cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/reflected) vulnerability in the search query tracking functionality where angle brackets are encoded. The reflection occurs inside a JavaScript string. To solve this lab, perform a cross-site scripting attack that breaks out of the JavaScript string and calls the `alert` function.

Problem solution

Observe the JS code of the page and use ‘closed string’ to construct a new JS statement

';alert();'

实验十、在select元素中的DOM型XSS

shooting range

document-write-sink-inside-select-element

explain

This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search which you can control using the website URL. The data is enclosed within a select element.

To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls the alert function.

Problem solution

Observe the JS code, add the storeid parameter in the received URL to the DOM, and construct the XSS code

storeId=<script>alert()</script>

Experiment 11: DOM XSS encoded by HTML with angle brackets and double quotes in angularjs

shooting range

angularjs-expression

explain

This lab contains a [DOM-based cross-site scripting](https://portswigger.net/web-security/cross-site-scripting/dom-based) vulnerability in a [AngularJS](https://portswigger.net/web-security/cross-site-scripting/contexts/angularjs-sandbox) expression within the search functionality.

AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the `ng-app` attribute (also known as an AngularJS directive). When a directive is added to the HTML code, you can execute JavaScript expressions within double curly braces. This technique is useful when angle brackets are being encoded.

To solve this lab, perform a [cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) attack that executes an AngularJS expression and calls the `alert` function.

Problem solution

Angularjs uses double parentheses to execute JS script and constructor constructor

{{$on.constructor('alert(1)')()}}

Experiment 12: reflective DOM XSS

shooting range

dom-xss-reflected

explain

This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.

To solve this lab, create an injection that calls the alert() function.

Problem solution

First, submit the search in the search box, observe the page source code, and click searchresults JS executes an anonymous function when a server response is received

In this function, Eval (‘var searchresultsobj = ‘+ this. ResponseText) uses the eval function to splice the data of the response into a string and execute it