Chrome & amp; ie xss filter bypass first wave 0day

Source: Internet
Author: User


A few days ago, knownsec sogili found that the ie xss filter is an interesting bypass, which is also caused by a difference. This is a problem with the server language. In addition to this, ie also has a feature that determines whether the origin is from the local domain. If yes, xss filter is invalid.


The chrome xss filter studied yesterday is not the same as that of ie. On the surface, it is not replaced. This is just a representation. In fact, chrome will normalize the HTML returned by the response, this process determines whether the get request has a potential xss exp. If yes, the output normalization will make various filtering modifications. However, you cannot directly view the source code. You can use F12 to take a good look at the behavior after standardization. This technique is very beneficial for us to explore vulnerabilities.


Apart from chrome F12, you can see the real HTML. What about other browsers? Use the DOM technique:


Javascript: alert (document. getElementsByTagName ('body') [0]. innerHTML)


What are the benefits of this? It is helpful for us to determine the browser's standardized behavior and further identify the standardization difference or bugs. Maybe a exp that can pass many website filters will be found in this way, this process can actually be written as a browser-based fuzzing tool: P


Based on this technique, I found some interesting filtering mechanisms of chrome xss filter and succeeded in xss, haha. As of tips, several 0-day vulnerabilities will be written into the cross-site Path Vulnerability mining chapter published in the spring of next year. We are looking forward to it, because we have finished some work, so this time we will publish this message.


By the way, in this book, "cross-site path", the knowledge in it will definitely be used for fishing, and it will let everyone know the various ins and outs of the Cross-Site world, some are even undisclosed. Why do I need to write this book? Because the road to life is long and cross-site is just a path that I have taken over the past few years. It is still wonderful, but my heart is not in this little thing, and the world is wonderful, more magical fans are waiting for us to crack the game. When there are so many vacant positions, we can try to fill in more interesting positions.


Pressure @_@!

From: evilcos. me

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.