Xiao xiaoshuai! Yi qike
This is the case if the backup is too lazy.
-----------------------
Dom xss of QQ space
Xiao Shuai [0. S.T]
1. I saw the article about DOM xss and xss mining on the Internet a few days ago. I didn't expect Baidu to be able to dig out so many xss. So at the instigation of my mind, I happily came to sina, the legendary good blog station, how much sina hoped to be dug out XSS, now that everyone is expecting me to reveal how I found DOM XSS earlier, let's talk about XSS In the QQ space. (Everyone said: You! Deceiving the young minds of the masses ).
2. Well, now that everyone expects it, let me start. First open the QQ space (everyone on Earth), click in the article, and post a log called "test", then open "add connection", and then drop the test statement, see the results. 1
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2225023T4-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/2225023T4-0.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
(Figure 1)
Then we go back to the page to see what happened on the page. 2
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/22250254V-1.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/22250254V-1.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
(Figure 2)
= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2225023495-2.jpg); "src =" http://www.bkjia.com/uploads/allimg/131121/2225023495-2.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
(Figure 3) alert has xss. This indicates that the previous task was executed. In addition, javascript: alert ('xss'); is fully executed without interference. Then let's take a look at the cause of this XSS.
3. Let's look at this function. QQ space.
Function checkInputText (type, ele ){
If (! G_arrClickFlag [type]) {
G_arrClickFlag [type] = true;
Ele. value =;
Ele. style. color = #000;
}
}
Function confirm (){
Var strText = $ ("inputLinkText"). value. trim (). toInnerHTML ();
If (strText. length = 0 |! G_arrClickFlag [0]) {
Alert ("Enter the text of the link to be displayed ");
$ ("InputLinkText"). focus ();
Return;
}
If ($ (list) & $ (list). getResult (). length> 0 ){
$ N ("inputValue") [1]. value = $ (list). getResult () [0]. data;
}
Else {
$ N ("inputValue") [1]. value = "";
}
Var strValue = $ n ("inputValue") [type]. value. trim ();
If (strValue. length = 0 |! G_arrClickFlag [type + 1]) {
Switch (type ){
Case 0: alert ("Enter the URL"); break;
Case 1: alert ("Please select a friend or enter the correct QQ number"); break;
Case 2: alert ("Please enter your email address"); break;
}
If (type! = 1) $ n ("inputValue") [type]. focus ();
Return;
}
If (type = 0 ){
Var reg = new RegExp (^ (http | https | ftp | news): //) | mailto :), ig );
Var result = reg.exe c (strValue );
Var sUrl = result? StrValue. substr (result [0]. length): strValue;
/* If (sUrl. length> 0 & sUrl. substr (sUrl. length-1 )! = "/")
SUrl + = "/";*/
Var sHeader = result? Result [0]: "http ://";
StrValue = sHeader + sUrl;
}
Else if (type = 1 ){
StrValue = parseInt (strValue, 10 );
If (!! IsNaN (strValue) | strValue <= 10000 ){
Alert ("enter the correct QQ number ");
$ N ("inputValue") [type]. focus ();
$ ("InputAreaDiv" + type). style. backgroundColor = "# fff6d0 ";
$ ("QqHintArea"). className = "input_hint_wrong ";
Return;
}
}
Else if (type = 2 ){
If (! /^ ([A-za-z0-9 _-] +) @ ([(a-za-z0-9 _-] +.) + ([a-za-z0-9 _-]) + $/. test (strValue )){
Alert ("enter the correct email address ");
$ N ("inputValue") [type]. focus ();
Return;
}
If (! GetParameter ("emailflag", true ))
StrValue = "mailto:" + strValue;
}
If (!! GetParameter ("editorid", true )){
If (! Parent. g_arrQZEditorReturnVal)
Parent. g_arrQZEdit