Browser security-css, JavaScript

Cascading style sheets (CSS)

There are three ways of calling:

1 用<style>2 通过<link rel=stylesheet>，或者使用style参数。3 XML（包括XHTML）可以通过<?xml-stylesheet href=...?>

The browser parsing will be HTML parsing and then do CSS parsing, so the following code will error:

<style>some_descriptor { background: url("http://www.example.com/</style>

Character encoding:

To ensure that you can use characters that may be problematic in CSS, CSS provides a way to add six hexadecimal digits to a backslash ().

The character e can be encoded into \65 \065 \000065, when the character immediately followed is one of the hexadecimal characters, only the last one is right.

For example, teak encoding into t\65ak will not be normal, because the decoding will be \65a as a character.

In order to avoid the above situation can be encoded after adding a blank character, for example: t\65 K.

Many CSS parsers also parse strings outside of quotation marks.

Below two code ie under the same

<A STYLE="color: expression\028 alert \028 1 \029 \029"><A STYLE="color: expression(alert(1))">

Fuzzing

The parsing rules of CSS differ from HTML and JavaScript in several ways.

JavaScript in syntax error, the entire code will be ignored, and CSS parsing error, the browser tries to ignore the wrong code.

This is similar to HTML, because when HTML syntax is wrong, the browser tries to fix it and show it,

The @ symbol is used to define a special property in a CSS style sheet that defines the character set (@charset) or the style of media (@media).

Import an external style (@import) or an external font (@font-face) or a namespace (@namespace) or define a presentation file (@page).

When defining a character set, you can define a multibyte character set (such as: Shift-jis,big5,euc-jp,euc-kr or GB2312) that might invalidate the backslash:

@charset "GB-2312";*{content:"a%90\"; color:red; z:k";}

Will resolve to:

@charset "GB-2312";*{content:"a撞"; color:red; z:k";}

There is also a time UTF-7 character:

@charset "UTF-7";*{content:"a+ACIAOw- color:red; z:k";}

Will resolve to:

@charset "UTF-7";*{content:"a"; color:red; z:k";}

Defining @charset in IE is not the way to define UTF-7:

+/v8-*{content:"a+ACIAOw- color:red; z:k";}

You can define a character set when importing in some browsers:

<link rel=stylesheet charset=UTF-7 src=stylesheet>

The CSS selector is a very interesting part, and he can contain strings, expressions, functions. Selectors can also consist of multiple lines:

A rule set inside a property/value pair when declared in CSS, usually in the following form:

property: value;

The property is a keyword, including an alphanumeric dash, and a character greater than 0x7f, as well as a way to bypass it:

-moz-binding与\2d moz\2d binding相等。

The property in IE does not strictly abide by this rule, if an attribute contains more than one word, only the first word will be used, others will be ignored:

a b c: value;a: value;

The above two rules are equivalent. And in IE: can be replaced by =

a = value;a: value;

The above two are also equivalent.

It is also important that IE allows multiple lines of strings, URLs, selectors.

The most obvious limitation of CSS is that he is not a programming language, but a language style, and he does not have any programming logic.

It is difficult for him to attack without the help of JavaScript, the following main discussion is completely based on the CSS does not rely on other scripting language attacks.

The whole logic:

element:condition{   action;   }

element can be any value, condition as a CSS selector, such as: visited,:active,:hover,:selected. Event selector:

1 :hover 悬停鼠标在一个元素。2 :active 点击一个元素。3 :focus 光标放在一个元素上。

CSS causes click Hijacking:

<style>iframe{filter:alpha(opacity=0);opacity: 0;position: absolute;top: 0px;left: 0px;height: 300px;width: 250px;}img{position: absolute;top: 0px;left: 0px;height: 300px;width: 250px;}</style><iframe src="用户实际操作的页面"></iframe>

Click to hijack the defense method one is to add x-frame-options:never headers, another way is to use javascript:

<body><script>if(top!=self)document.write("<plaintext>");</script>

Both methods have limitations, before the click hijacked documents, see: http://drops.wooyun.org/tips/104

The following code is a valid CSS2 code and has no effect in FIREFOX,SAFARI,CHROME,OPERA,IE7,IE8,IE9, but in IE6, the executable code:

<style>foo[bar|="} *{xss: expression(alert(1));} x{"]{  color:red;}</style>

The color in the following code can be encoded as c\olor,\c\o\l\or,c\6f l\06f R.

*{color: red;}

Browser scripting language

The following two pieces of code are not the same when parsing javascript:

Code One	Code two
& #x3cscript > var my_variable1 = 1; var my_variable2 = & #x3c/script> & #x3cscript > 2; & #x3c/script>	& #x3cscript > var my_variable1 = 1; var my_variable2 = 2; & #x3c/script>

This is because the <script> first script tag in code one causes an error because it is not linked before parsing.

This causes the entire label to be ignored, and the code within all tags cannot be executed.

There are two ways to define a function in JS:

var aaa=function(){...}function aaa(){...}

The Var method defines a function that cannot be called before the function is declared, only the function can be declared first and then called.

function methods define functions that can be called first and then declared.

<script>  //aaa();这样调用就会出错  var aaa = function(){    alert("A");  }  aaa();//这样就不会出错  //先调用后声明  bbb();  function bbb(){    alert("bb");  }  </script>

For historical reasons, the names of some HTML elements （，<FORM>，<EMBED>，<object>，<APPLET>） are also mapped directly to the document's namespace, as shown in the following code snippet:

<script> alert(document.hello.src);</script>

Dom Operation:

document.getElementById("output").innerHTML = "<b>Hi mom!</b>";

Insert in the label with ID output <b>Hi mom!</b> . When inserting data using. innerHTML, it must be a complete block of data, such as the following code:

some_element.innerHTML = "<b>Hi";some_element.innerHTML += " mom!</b><i>";

Equivalent to the following code:

some_element.innerHTML = "<b>Hi</b> mom!<i></i>";

When Dom operates, it decodes some characters by itself, with the following code:

<textarea style="display:none" id="json">{  "name":"Jack&quot;",  "country":"China"}</textarea>My name is :<span id="me">loading...</span><script>function $(id){  return document.getElementById(id);}var data=$("json").value;alert(data);var profile=eval("("+data+")");//把string转成object方便操作$("me").innerHTML = profile.name;</script>

You can see that the data from the alert is

{     "name":"Jack"",     "country":"China"}

The following example is also decoded when using getattribute:

<div id="bigimage"></div><script>function $(id){  return document.getElementById(id);}function test(){  big=$("pic").getAttribute("bigpic");//big此时为：http://baidu.com"><i b =  $("bigimage").innerHTML="

JavaScript encoding

JavaScript supports multiple character encodings:

1 C语言的编码，\b表示退格，\t表示水平制表符等等，公认的ECMAScript编码。2 三位数字：用反斜杠加八位8进制来表示，如\145可表示字符e，该语法不属于ECMAScript，但是基本所有的浏览器都支持。3 两位数字：用反斜杠加x加八位16进制表示，如\x65可表示字符e，同样不属于ECMAScript，但是在解析底层，C语言中有很好的支持。4 四位数字：Unicode编码，十六位16进制表示，如\u0065可表示字符e，属于ECMAScript编码。

It is important to note that after a group is encoded in more than one string, the following code can be performed normally (but not in parentheses and quotes):

<script>\u0061lert("This displays a message!");</script>

Fuzzing

In JavaScript, the Window object is a global variable, and the variables defined by default are global variables, and the methods under window can be accessed directly:

<script type="text/javascript">alert(1);window.alert(1); window.alert(window.alert); </script>

And can be rewritten:

<script type="text/javascript">function alert() {}alert(1)</script>

There are two ways to define an array:

<script type="text/javascript">x=[1,alert,{},[],/a/];alert(x[4]);</script>

The last one is returned by default:

<script type="text/javascript">objLiteral={"objProperty":123};alert(objLiteral[0,1,2,3,"objProperty"]);</script><script type="text/javascript">objLiteral={"objProperty":123};alert(objLiteral[(0,1,2,3,(0,"objProperty"))]);</script>

There are other ways to define strings in JavaScript other than "string" and "string":

<script type="text/javascript">alert(/I am a string/+"");alert(/I am a string/.source);alert(/I am a string/["source"]);alert(["I am a string"]+[])</script>

The first alert is a regular expression with an empty string, and JavaScript forces the regular to be converted to a string. The second alert uses the Source property of the standard regular object, returns the string with the result of a regular match, and the third one is another way to access the property. The third alert is that the ToString () method is automatically called to the string if it is not the specified access to an element when accessing an array. There is also a non-standard way of using strings (Ie8,safari,opera,firefox and Chrome already supported), using an array-like approach:

<script type="text/javascript">alert("abcdefg"[0]);</script>

The code for function names in Firefox is very broad:

<script type="text/javascript">window.function=function function(){return function function() {return function function(){alert("Works in Firefox")}()}()}()</script>

JavaScript supports multiple lines of string, and when the end of one \ ends, the next line of string is followed by the end of the previous line:

<script type="text/javascript"> alert("this is a string");</script>

It seems that all JavaScript engines support pre-function operators, such as: +,-,~,++,--,!, and operators can also be written before typeof and void.

<script type="text/javascript"> !~+-++alert(1)</script><script type="text/javascript"> void~void~typeof~typeof--alert(2)</script><script type="text/javascript"> alert(3)/abc</script>

The latest chrome and Safari top two will not be implemented. Viewing the console can see three JS is actually an error, the first two is because the alert function returned is undefined, + + and--the time of operation is illegal. The last one is to attempt to divide the alert function by an undeclared variable by executing the alert function before removing the error.

Browser security-css, JavaScript