Based on the principle of DOM-XSS Detection

 

During the XSS detection process on a website, multiple search pages call the same function. Most of these variables are not strictly filtered. Most of these variables are typical XSS, for the typical XSS detection site, we have already explained this clearly, so I will not talk about it much ｡

I want to share with beginners who haven't touched dom xss what I learned when mining DOM XSS. At first, when detecting this variable on this website, "http: // XXXXXXXXXX/searchresult.html? Title = "is used to test various closed page labels. No XSS is found after observing the feedback results, next, modify the test statement based on the feedback to see if the test statement is "<>" or the keyword is filtered. No XSS is found ｡

In this case, do not rush to stop checking this function. dom xss will be missed because the test statements used by dom xss cannot be found, to detect dom xss, you need to have a basic understanding of its formation characteristics.

 

The special feature of dom xss lies in the fact that it must have the necessary conditions to form an XSS. Here, I will reference the content of Daniel's article as a reference for beginners to learn more.

 

The reasons for DOM based XSS are as follows:

A) Dirty data input B) Dirty data output

Location document. write (ln)

Document. referrer innerHTML =

Window. name outterHTML =

Ajax response write window. location operation

Jsonp write javascript: (custom content after pseudo-Protocol)

Directly execute the inputs box eval, setTimeout, and setInterval in form.

 

Take the above surface variable as an example to describe how to mine this XSS first add the test statement to the variable http://www.bkjia.com/searchresult.html? Title = ', alert (123),' XSS appears on the page

 

View the source code and find ', alert (123 ),'

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/>

 

<Title> ', alert (123),' _ Quick question search _ PCgames quick question </title>

 

<Meta name = "keywords" content = "', alert (123),'"/>

 

<Script src = "http://www.bkjia.com/template/pcgames/header_js.jsp? Title = ', alert (123),' "> </script>

There is no problem above, mainly because the dirty data injected by the script below is passed into the above link, and then check the source code of this link.

 

Document. writeln ('', alert (123 ),'');

 

The document. write () in the page outputs dirty data, resulting in DOM XSS

 

This vulnerability occurs because "the content referenced in the script src of IE is rendered as JS, regardless of the suffix feature" causes this XSS ｡

Find the source code through <script src = "XXXXXXXXXX? Title = controllable variable "> substitute code: Observe the src page of the variable to find the tag that can be used to close the tag. a dom xss is detected ｡

Find the necessary conditions for dom xss formation, in this way, we can find the missing dom xss. Under the guidance of strong SF, I carefully modified it and shared it with beginners. As it is a cainiao, there are a lot of improper and lacking content, please give more guidance and correction ｡

 

From Fuck the w0rld!