├── example.png
├── how_to_work.png
├── readme.md
├── xss_ctf1.php
├── xss_ctf2.php
├── xss_ctf3.php
├── xss_ctf4.php
├── xss_hunter.js
└── xss_test.php


/example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcatro/XSS-hunter/7a36b47c50989b338bef3c7da9f95a106bb975d6/example.png


--------------------------------------------------------------------------------
/how_to_work.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lcatro/XSS-hunter/7a36b47c50989b338bef3c7da9f95a106bb975d6/how_to_work.png


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ###XSS-hunter
 3 | ---
 4 | 
 5 | 目前国内的Android APP 较为广泛使用Webview 的方法快速开发产品,如果产品本身在Webview 上的设计出现了安全问题,很有可能会产生XSS 跨站甚至是跨域的脚本注入(对于Webview 上展示的页面来说,出现XSS 的危害不亚于RCE 远程代码执行[PK AV 浏览器专辑:疗一疗本土瘤览器](https://github.com/lcatro/Hacker_Document/blob/master/Browser/%E7%96%97%E4%B8%80%E7%96%97%E6%9C%AC%E5%9C%9F%E7%98%A4%E8%A7%88%E5%99%A8.pdf),所有的Webview 上的元素和执行逻辑都可以被XSS 所控制,如果XSS 出现在特权域,同样也可以导致RCE 安全问题[KCon-2013 黑哥议题:去年跨过的客户端](https://github.com/lcatro/Hacker_Document/blob/master/Browser/%E5%8E%BB%E5%B9%B4%E8%B7%A8%E8%BF%87%E7%9A%84%E5%AE%A2%E6%88%B7%E7%AB%AF.pptx)).`XSS-hunter` 通过分析Webview 页面上的XSS 特征,向开发人员提供APP 在发布之后来自用户使用的过程中回传有关APP Webview 里面的XSS 信息收集报告,加速热补丁更新速度,及时止损..<br/>
 6 | 下面是常见的反射型XSS 测试用例:<br/>
 7 | 
 8 |     http://127.0.0.1/xss_test.php?xss_test_1=<script>alert('xss');</script>  --  基本测试
 9 |     http://127.0.0.1/xss_test.php?xss_test_1=<img src="" onerror="alert('xss')" />  --  DOM <img> 元素事件XSS 执行测试
10 |     http://127.0.0.1/xss_test.php?xss_test_1=<iframe src="http://www.baidu.com" />  --  <iframe> 元素挂马测试
11 |     http://127.0.0.1/xss_test.php?xss_test_1=<svg>/<script>alert('xss');</script>  --  组合HTML 元素绕过测试
12 |     http://127.0.0.1/xss_test.php?xss_test_1=<div><a><img src="" onerror="alert('xss')" />  --  混合HTML 元素和img 事件绕过测试
13 |     http://127.0.0.1/xss_test.php?xss_test_2="  --  初期XSS 绕过元素属性闭合测试
14 |     http://127.0.0.1/xss_test.php?xss_test_2=" onerror="alert('xss');  --  元素事件XSS 测试
15 |     http://127.0.0.1/xss_test.php?xss_test_2=' " onload="alert('xss');  --  元素事件XSS 误报BUG 测试
16 |     http://127.0.0.1/xss_test.php?xss_test_2=" alt="change tips";  --  元素XSS 修改非事件属性测试
17 |     http://127.0.0.1/xss_test.php?xss_test_2=" /><script>alert('xss');</script>  --  绕过元素之外构造DOM XSS 测试
18 |     http://127.0.0.1/xss_test.php?xss_test_2=123  --  元素XSS 误报测试
19 | 
20 | 在测试中全部通过,`XSS-hunter` 的检测效果:<br/>
21 | ![example](https://raw.githubusercontent.com/lcatro/XSS-hunter/master/example.png)
22 | 


--------------------------------------------------------------------------------
/xss_ctf1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | if (isset($_GET['keyword'])) {
 4 |     if (strstr($_GET['keyword'],'<script>') && strstr($_GET['keyword'],'</script>'))
 5 |         echo '<script>alert("success");</script>';
 6 | 	echo '<br/><br/>'.$_GET['keyword'];
 7 | } else {
 8 | 	echo '<script>window.location.href="xss_ctf1.php?keyword=123";</script>';
 9 | }
10 | 
11 | ?>


--------------------------------------------------------------------------------
/xss_ctf2.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 |     if (isset($_POST['username']) && isset($_POST['username'])) {
 4 |         if (strstr($_POST['username'],'<script>') && strstr($_POST['username'],'</script>'))
 5 |             echo '<script>alert("success");</script>';
 6 |         if (strstr($_POST['password'],'<script>') && strstr($_POST['password'],'</script>'))
 7 |             echo '<script>alert("success");</script>';
 8 |     }
 9 | ?>
10 | 
11 | <html>
12 |     <body>
13 |         <form method="post">
14 |             Username:<input type="text" name="username" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /><br/>
15 |             Password:<input type="text" name="password" value="<?php if (isset($_POST['password'])) echo $_POST['password']; ?>" /><br/>
16 |             <input type="submit"/>
17 |         </form>
18 |     </body>
19 | </html>
20 | 


--------------------------------------------------------------------------------
/xss_ctf3.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 |     if (isset($_POST['Comment'])) {
 4 |         if (strstr($_POST['Comment'],'<script>') && strstr($_POST['Comment'],'</script>')) {
 5 |             echo '<script>alert("success");</script>';
 6 |         } else {
 7 |             $comment_data='<br/><br/>'.$_POST['Comment'];
 8 |             $comment_file=fopen('./data.txt','a');
 9 |             fwrite($comment_file,$comment_data);
10 |             fclose($comment_file);
11 |         }
12 |     }
13 | ?>
14 | 
15 | <html>
16 |     <body>
17 |         <div id="output_window">
18 |             <?php
19 |                 $comment_data=file_get_contents('./data.txt');
20 |                 echo $comment_data;
21 |             ?>
22 |         </div>
23 |         <form method="post">
24 |             Comment:<input type="text" name="Comment"/><br/>
25 |             <input type="submit"/>
26 |         </form>
27 |     </body>
28 | </html>
29 | 


--------------------------------------------------------------------------------
/xss_ctf4.php:
--------------------------------------------------------------------------------
 1 | 
 2 | <?php
 3 |     if (isset($_POST['Comment'])) {
 4 |         $comment_data='<br/><br/>'.$_POST['Comment'];
 5 |         $comment_file=fopen('./data.txt','a');
 6 |         fwrite($comment_file,$comment_data);
 7 |         fclose($comment_file);
 8 |     }
 9 | ?>
10 | 
11 | <html>
12 |     <body>
13 |         <div id="output_window">
14 |             <?php
15 |                 $comment_data=file_get_contents('./data.txt');
16 |                 echo $comment_data;
17 |             ?>
18 |         </div>
19 |         <form method="post">
20 |             Comment:<input type="text" name="Comment"/><br/>
21 |             <input type="submit"/>
22 |         </form>
23 |     </body>
24 | </html>
25 | 


--------------------------------------------------------------------------------
/xss_hunter.js:
--------------------------------------------------------------------------------
  1 | 
  2 | //  XSS 漏水报告
  3 | 
  4 | function report(xss_detail_element) {
  5 |     console.log('WARNING! EVAL ELEMENT .. '+xss_detail_element.tagName+'  '+xss_detail_element.src);
  6 | }
  7 | 
  8 | //  动态检测DOM 上变化来检测XSS
  9 | 
 10 | function dynamic_check_eval_event(element) {
 11 |     var black_element_event=['onerror','onload'];
 12 | 
 13 |     for (var element_attribute_index in element) {
 14 |         var event=eval('element.'+element_attribute_index);
 15 | 
 16 |         for (var black_element_event_index in black_element_event)
 17 |             if (black_element_event[black_element_event_index]==element_attribute_index && 'function'==typeof event) 
 18 |                 return true;
 19 |     }
 20 |     return false;
 21 | }
 22 | 
 23 | function dynamic_check_eval_element(element) {
 24 |     var black_element_name=['SCRIPT','IFRAME'];
 25 | 
 26 |     for (var index in black_element_name)
 27 |         if (black_element_name[index]==element.tagName)
 28 |             return true;
 29 | 
 30 |     return false;
 31 | }
 32 | 
 33 | function init() {
 34 |     //  init body observer object for monited dynamic element create ..
 35 |     var observer = new MutationObserver(function (mutations) {
 36 |         mutations.forEach(function (mutation) {
 37 |             if ('childList'==mutation.type || 'subtree'==mutation.type) {
 38 |                 for (var index=0;index<mutation.addedNodes.length;++index) {
 39 |                     var new_element=mutation.addedNodes[index];
 40 | 
 41 |                     if (dynamic_check_eval_event(new_element) || dynamic_check_eval_element(new_element)) {
 42 |                         console.log('WARNING ! Dynamic Create XSS ,inject DOM ..');
 43 |                     }
 44 |                 }
 45 |             } else if ('attributes'==mutation.type) {
 46 |                 var new_attribute_value=eval('mutation.target.'+mutation.attributeName);
 47 |                 var change_attribute_element=mutation.target;
 48 | 
 49 |                 if (dynamic_check_eval_event(change_attribute_element)) {
 50 |                     console.log('WARNING ! Dynamic Create XSS ,inject to attribute event ..');
 51 |                 }
 52 |             }
 53 |         }); 
 54 |     });
 55 |     observer.observe(document.body,{
 56 |         'childList': true,
 57 |         'subtree': true,
 58 |         'attributes' : true
 59 |     });
 60 |     test_case();
 61 | }
 62 | 
 63 | function test_case() {
 64 |     /*
 65 |     var img=document.createElement('img');
 66 |     img.src='http://www.baidu.com/';
 67 |     img.onerror='alert("xss");';
 68 |     document.body.appendChild(img);
 69 |     */
 70 | 
 71 |     var test_script='<img src="http://www.baidu.com/" onerror="alert(\'img on error xss\');" />';
 72 |     test_script+='<img src="https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/logo/logo_white.png" />';
 73 |     test_script+='<img>';
 74 |     test_script+='<img src="https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/logo_top_ca79a146.png" onload="alert(\'img onload  xss\');" />';
 75 |     test_script+='<script>alert("script xss");';
 76 |     test_script+='</script';
 77 |     test_script+='>';
 78 |     test_script+='<nb>';
 79 |     test_script+='</nb>';
 80 | 
 81 |     document.body.innerHTML=test_script;
 82 | 
 83 | //            document.body.innerHTML+='
 84 | //    /*<script>';
 85 |     /*
 86 |     img.onerror='alert("xasd");';
 87 |     img.alt='trd';
 88 | 
 89 |     var script=document.createElement('script');
 90 |     document.body.appendChild(script);
 91 |     */
 92 | }
 93 | 
 94 | //  反射XSS 检测部分
 95 | 
 96 | REFLECTED_XSS_INJECT_DOM=1;
 97 | REFLECTED_XSS_INJECT_ELEMENT_OR_JAVASCRIPT=2;
 98 | 
 99 | function split_url_parameter_value(parameter_key_value) {
100 |     var offset_equal_flag=parameter_key_value.indexOf('=');
101 |     var result={};
102 | 
103 |     if (-1!=offset_equal_flag) {
104 |         result['key']=parameter_key_value.substr(0,offset_equal_flag);
105 |         result['value']=parameter_key_value.substr(offset_equal_flag+1);
106 |     }
107 |     return result;
108 | }
109 | 
110 | function split_url_parameter_list() {
111 |     var current_url=window.location.href;
112 |     var is_exist_url_parameter=current_url.indexOf('?');
113 |     var result=[];
114 | 
115 |     if (-1!=is_exist_url_parameter) {
116 |         current_url=current_url.substr(is_exist_url_parameter+1);
117 | 
118 |         var every_parameter=current_url.indexOf('&');
119 | 
120 |         while (-1!=every_parameter) {
121 |             var parameter_key_value=current_url.substr(0,every_parameter);
122 |             var result_key_value_block=split_url_parameter_value(parameter_key_value);
123 | 
124 |             result.push(result_key_value_block);
125 |             current_url=current_url.substr(every_parameter+1);
126 |             every_parameter=current_url.indexOf('&');
127 |         }
128 |         var result_key_value_block=split_url_parameter_value(current_url);
129 | 
130 |         if (undefined!=result_key_value_block.key) 
131 |             result.push(result_key_value_block);
132 |     }
133 |     return result;
134 | }
135 | 
136 | function split_string_space(input_string) {
137 |     var next_space_index=input_string.indexOf(' ');
138 |     var result=[];
139 | 
140 |     while (-1!=next_space_index) {
141 |         result.push(input_string.substr(0,next_space_index));
142 | 
143 |         input_string=input_string.substr(next_space_index+1);
144 |         next_space_index=input_string.indexOf(' ');
145 |     }
146 |     result.push(input_string);
147 |     return result;
148 | }
149 | 
150 | function analayis_reflected_parameter_xss(danger_parameter_list) {
151 |     var result=[];
152 | 
153 |     for (var danger_parameter_list_index in danger_parameter_list) {
154 |         var analayis_index={};
155 |         var danger_parameter_index=danger_parameter_list[danger_parameter_list_index];
156 |         var eval_flag_index=find_first_eval_flag(danger_parameter_index);
157 | 
158 |         if (-1!=eval_flag_index) {
159 |             var eval_flag=danger_parameter_index[eval_flag_index];
160 | 
161 |             if ('<'==eval_flag || '>'==eval_flag) {
162 |                 analayis_index['reflected_type']=REFLECTED_XSS_INJECT_DOM;
163 |                 analayis_index['reflected_data']=danger_parameter_index;
164 |             } else if ('\''==eval_flag || '"'==eval_flag) {
165 |                 analayis_index['reflected_type']=REFLECTED_XSS_INJECT_ELEMENT_OR_JAVASCRIPT;
166 |                 analayis_index['reflected_data']=danger_parameter_index;
167 |             }
168 |         }
169 |         result.push(analayis_index);
170 |     }
171 | 
172 |     return result;
173 | }
174 | 
175 | function find_first_eval_flag(parameter_value_string) {
176 |     var flag_single_quotes_index=parameter_value_string.indexOf('\'');
177 |     var flag_quotes_index=parameter_value_string.indexOf('"');
178 |     var flag_less_than_signs_index=parameter_value_string.indexOf('<');
179 |     var flag_right_than_signs_index=parameter_value_string.indexOf('>');
180 | 
181 |     var first_char=-1;
182 | 
183 |     first_char=flag_single_quotes_index;
184 | 
185 |     if (-1==first_char ||
186 |         first_char>flag_quotes_index)
187 |         first_char=flag_quotes_index;
188 | 
189 |     if (-1==first_char ||
190 |         first_char>flag_less_than_signs_index)
191 |         first_char=flag_less_than_signs_index;
192 | 
193 |     if (-1==first_char ||
194 |         first_char>flag_right_than_signs_index)
195 |         first_char=flag_right_than_signs_index;
196 | 
197 |     return first_char;
198 | }
199 | 
200 | function check_insert_xss_code(parameter_value_string) {
201 |     if (-1!=find_first_eval_flag(parameter_value_string))
202 |         return true;
203 | 
204 |     return false;
205 | }
206 | 
207 | function check_insert_xss_into_element(reflected_parameter) {
208 |     if (REFLECTED_XSS_INJECT_DOM==reflected_parameter['reflected_type']) {
209 |         var insert_dom_string=reflected_parameter['reflected_data'];
210 |         var reg_matching=new RegExp('<\\w+>|<\\w+ |<\\w+\/','g');
211 |         var reg_matching_result=insert_dom_string.match(reg_matching);
212 | 
213 |         for (var pick_element_tag_name=0;pick_element_tag_name<reg_matching_result.length;++pick_element_tag_name)
214 |             reg_matching_result[pick_element_tag_name]=reg_matching_result[pick_element_tag_name].substr(1,reg_matching_result[pick_element_tag_name].length-2);
215 | 
216 |         var build_query_selector_string='';
217 | 
218 |         for (var pick_element_tag_name=0;pick_element_tag_name<reg_matching_result.length;++pick_element_tag_name)
219 |             build_query_selector_string+=reg_matching_result[pick_element_tag_name]+' ';
220 | 
221 |         var search_insert_element_list=document.body.querySelectorAll(build_query_selector_string);
222 | 
223 |         if (search_insert_element_list.length) {
224 |             console.log('WARNING ! found reflected DOM XSS ..');
225 |             return true;
226 |         }
227 |     } else if (REFLECTED_XSS_INJECT_ELEMENT_OR_JAVASCRIPT==reflected_parameter['reflected_type']) {
228 |         var insert_element_string=reflected_parameter['reflected_data'];
229 | 
230 |         if ('"'==insert_element_string ||
231 |             '\''==insert_element_string) {
232 |             /*
233 |                 选择含有' 和" 符号的HTML 元素,一般在XSS 初期测试的时候会通过注入' 和" 号看看能否开闭HTML 属性
234 |                 Example :
235 | 
236 |                 <img src="%input%" />
237 |                         |  
238 |                         v
239 |                 正常情况下:<img src="123" />
240 |                 转码情况下:<img src="123&quet" />
241 |                 XSS 成功情况下:<img src="123" " />
242 |             */
243 |             var attribute_selector=document.body.querySelectorAll('[\\'+insert_element_string+']');
244 | 
245 |             if (attribute_selector.length) {
246 |                 console.log('WARNING ! found reflected Attribute XSS -- Bypass Attribute String closed (" and \')..');
247 |                 return true;
248 |             }
249 |         } else {
250 |             var body_code=document.body.innerHTML;
251 |             var unencode_index=body_code.indexOf(insert_element_string);
252 |             var encode_index=body_code.indexOf(insert_element_string.replace(/</g,'%3C').replace(/>/g,'%3E'));
253 |             /*
254 |                 TIPS: 这种情况还需要注意绕过属性闭合构造DOM XSS 的情况,有可能在插入的时候< > 会被过滤成字符编码..
255 |                 Example:
256 | 
257 |                 " onerror="alert(\'element onerror() xss\');" /><script>alert(\'DOM XSS\');<//script>
258 |             */
259 | 
260 |             if (-1!=unencode_index) {
261 |                 console.log('WARNING ! found reflected Attribute XSS ,unencode insert code ..');
262 |                 return true;
263 |             } else if (-1!=encode_index) {
264 |                 console.log('WARNING ! found reflected Attribute XSS ,encode insert code ..');
265 |                 return true;
266 |             }
267 |             var attribute_list=split_string_space(insert_element_string);  //  使用分割属性的方法来匹配属性插入的元素
268 |             var valid_query_attribute_name_string='';
269 | 
270 |             for (var attribute_list_index_=0;attribute_list_index_<attribute_list.length;++attribute_list_index_) {
271 |                 var attribute_list_index=split_url_parameter_value(attribute_list[attribute_list_index_]);
272 | 
273 |                 if (undefined!=attribute_list_index['key'] && 
274 |                    ('"'!=attribute_list_index['key'] || '\''!=attribute_list_index['key']))
275 |                     valid_query_attribute_name_string+='['+attribute_list_index['key']+']';
276 |             }
277 |             var query_result=document.querySelectorAll(valid_query_attribute_name_string);
278 | 
279 |             if (query_result.length) {
280 |                 for (var query_result_index_=0;query_result_index_<query_result.length;++query_result_index_) {
281 |                     var query_result_index=query_result[query_result_index_];
282 |                 }
283 |                 console.log('WARNING ! found reflected Attribute XSS');
284 |                 return true;
285 |             }
286 |         }
287 |     }
288 |     return false;
289 | }
290 | 
291 | function check_reflected_xss() {
292 |     var url_parameter_list=split_url_parameter_list();
293 | 
294 |     /*
295 |         反射XSS Payload 集合
296 | 
297 |         注入代码到HTML DOM :
298 |         http://xxx.com/?messages=<script>alert('xss');<//script>
299 |         http://xxx.com/?messages=<img src='' onerror="alert('xss');" />
300 |         http://xxx.com/?messages=<iframe src="http://xx.com/" />
301 |         http://xxx.com/?messages=<a href="javascript:alert('xss');" />
302 |         http://xxx.com/?messages=<a href="data:text/html,<script>alert('xss');<//script>" />
303 |         注入代码到HTML Element Attribute 绕过:
304 |         http://xxx.com/?messages=" /><script>alert('xss')<//script>
305 |         http://xxx.com/?messages=" onerror="alert('xss');" />
306 |         注入代码到javascript :
307 |         http://xxx.com/?messages=';alert('xss');
308 | 
309 |         由上面的Payload 总结可以知道,反射型XSS 内带有< > " ' 关键字:
310 |         还有对应的URL Encode 混淆:%3C <  %3E >  %22 "  %27 '
311 | 
312 |         URL 解析过程:
313 |         http://xxx.com/a.php?arg=%3CScript%3ealert(%27xss%27);%3C/scRiPt%3e
314 |                                     |
315 |                         split_url_parameter_list()  
316 |                                     |
317 |                                     v
318 |                 arg=%3CScript%3ealert(%27xss%27);%3C/scRiPt%3e
319 |                                     |
320 |                                 unescape()
321 |                                     |
322 |                                     v
323 |                      arg=<Script>alert('xss');<//scRiPt>
324 |                                     |
325 |                             URL.toLowerCase()
326 |                                     |
327 |                                     v
328 |                      arg=<script>alert('xss');<//script>
329 | 
330 |         最后利用特征在document.querySelector 中发掘..
331 |     */
332 | 
333 |     if (url_parameter_list.length) {
334 |         var decode_parameter_list=[];
335 |         var danger_parameter_value_list=[];
336 | 
337 |         for (var parameter_index_ in url_parameter_list) {
338 |             var parameter_index=url_parameter_list[parameter_index_];
339 | 
340 |             decode_parameter_list.push(unescape(parameter_index['value']).toLowerCase().trim());
341 |         }
342 |         for (var decode_parameter_list_index in decode_parameter_list)
343 |             if (check_insert_xss_code(decode_parameter_list[decode_parameter_list_index]))
344 |                 danger_parameter_value_list.push(decode_parameter_list[decode_parameter_list_index]);
345 | 
346 |         if (danger_parameter_value_list.length) {
347 |             var reflected_parameter_list=analayis_reflected_parameter_xss(danger_parameter_value_list);
348 | 
349 |             for (var reflected_parameter_list_index in reflected_parameter_list) {
350 |                 if (check_insert_xss_into_element(reflected_parameter_list[reflected_parameter_list_index])) {
351 |                     console.log('WARNING reflected XSS ');
352 |                 }
353 |             }
354 |         }
355 |     }
356 |     return false;
357 | }
358 | 


--------------------------------------------------------------------------------
/xss_test.php:
--------------------------------------------------------------------------------
  1 | 
  2 | <html>
  3 | 
  4 |     <script>
  5 |         //  XSS 漏水报告
  6 |         
  7 |         function report(xss_detail_element) {
  8 |             console.log('WARNING! EVAL ELEMENT .. '+xss_detail_element.tagName+'  '+xss_detail_element.src);
  9 |         }
 10 | 
 11 |     </script>
 12 |     
 13 |     <script>
 14 |         //  动态检测DOM 上变化来检测XSS
 15 |         
 16 |         function dynamic_check_eval_event(element) {
 17 |             var black_element_event=['onerror','onload'];
 18 |             
 19 |             for (var element_attribute_index in element) {
 20 |                 var event=eval('element.'+element_attribute_index);
 21 |                 
 22 |                 for (var black_element_event_index in black_element_event)
 23 |                     if (black_element_event[black_element_event_index]==element_attribute_index && 'function'==typeof event) 
 24 |                         return true;
 25 |             }
 26 |             return false;
 27 |         }
 28 |         
 29 |         function dynamic_check_eval_element(element) {
 30 |             var black_element_name=['SCRIPT','IFRAME'];
 31 |             
 32 |             for (var index in black_element_name)
 33 |                 if (black_element_name[index]==element.tagName)
 34 |                     return true;
 35 |             
 36 |             return false;
 37 |         }
 38 |         
 39 |         function init() {
 40 |             //  init body observer object for monited dynamic element create ..
 41 |             var observer = new MutationObserver(function (mutations) {
 42 |                 mutations.forEach(function (mutation) {
 43 |                     if ('childList'==mutation.type || 'subtree'==mutation.type) {
 44 |                         for (var index=0;index<mutation.addedNodes.length;++index) {
 45 |                             var new_element=mutation.addedNodes[index];
 46 |                             
 47 |                             if (dynamic_check_eval_event(new_element) || dynamic_check_eval_element(new_element)) {
 48 |                                 console.log('WARNING ! Dynamic Create XSS ,inject DOM ..');
 49 |                             }
 50 |                         }
 51 |                     } else if ('attributes'==mutation.type) {
 52 |                         var new_attribute_value=eval('mutation.target.'+mutation.attributeName);
 53 |                         var change_attribute_element=mutation.target;
 54 |                         
 55 |                         if (dynamic_check_eval_event(change_attribute_element)) {
 56 |                             console.log('WARNING ! Dynamic Create XSS ,inject to attribute event ..');
 57 |                         }
 58 |                     }
 59 |                 }); 
 60 |             });
 61 |             observer.observe(document.body,{
 62 |                 'childList': true,
 63 |                 'subtree': true,
 64 |                 'attributes' : true
 65 |             });
 66 |             test_case();
 67 |         }
 68 |         
 69 |         function test_case() {
 70 |             /*
 71 |             var img=document.createElement('img');
 72 |             img.src='http://www.baidu.com/';
 73 |             img.onerror='alert("xss");';
 74 |             document.body.appendChild(img);
 75 |             */
 76 |             
 77 |             var test_script='<img src="http://www.baidu.com/" onerror="alert(\'img on error xss\');" />';
 78 |             test_script+='<img src="https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/logo/logo_white.png" />';
 79 |             test_script+='<img>';
 80 |             test_script+='<img src="https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/logo_top_ca79a146.png" onload="alert(\'img onload  xss\');" />';
 81 |             test_script+='<script>alert("script xss");';
 82 |             test_script+='</script';
 83 |             test_script+='>';
 84 |             test_script+='<nb>';
 85 |             test_script+='</nb>';
 86 |             
 87 |             document.body.innerHTML=test_script;
 88 |             
 89 | //            document.body.innerHTML+='
 90 | //    /*<script>';
 91 |             /*
 92 |             img.onerror='alert("xasd");';
 93 |             img.alt='trd';
 94 |     
 95 |             var script=document.createElement('script');
 96 |             document.body.appendChild(script);
 97 |             */
 98 |         }
 99 |     </script>
100 |     
101 |     <script>
102 |         //  反射XSS 检测部分
103 |         
104 |         REFLECTED_XSS_INJECT_DOM=1;
105 |         REFLECTED_XSS_INJECT_ELEMENT_OR_JAVASCRIPT=2;
106 |         
107 |         function split_url_parameter_value(parameter_key_value) {
108 |             var offset_equal_flag=parameter_key_value.indexOf('=');
109 |             var result={};
110 |             
111 |             if (-1!=offset_equal_flag) {
112 |                 result['key']=parameter_key_value.substr(0,offset_equal_flag);
113 |                 result['value']=parameter_key_value.substr(offset_equal_flag+1);
114 |             }
115 |             return result;
116 |         }
117 |         
118 |         function split_url_parameter_list() {
119 |             var current_url=window.location.href;
120 |             var is_exist_url_parameter=current_url.indexOf('?');
121 |             var result=[];
122 |             
123 |             if (-1!=is_exist_url_parameter) {
124 |                 current_url=current_url.substr(is_exist_url_parameter+1);
125 |                 
126 |                 var every_parameter=current_url.indexOf('&');
127 |                 
128 |                 while (-1!=every_parameter) {
129 |                     var parameter_key_value=current_url.substr(0,every_parameter);
130 |                     var result_key_value_block=split_url_parameter_value(parameter_key_value);
131 |                     
132 |                     result.push(result_key_value_block);
133 |                     current_url=current_url.substr(every_parameter+1);
134 |                     every_parameter=current_url.indexOf('&');
135 |                 }
136 |                 var result_key_value_block=split_url_parameter_value(current_url);
137 | 
138 |                 if (undefined!=result_key_value_block.key) 
139 |                     result.push(result_key_value_block);
140 |             }
141 |             return result;
142 |         }
143 |         
144 |         function split_string_space(input_string) {
145 |             var next_space_index=input_string.indexOf(' ');
146 |             var result=[];
147 |             
148 |             while (-1!=next_space_index) {
149 |                 result.push(input_string.substr(0,next_space_index));
150 |                 
151 |                 input_string=input_string.substr(next_space_index+1);
152 |                 next_space_index=input_string.indexOf(' ');
153 |             }
154 |             result.push(input_string);
155 |             return result;
156 |         }
157 |         
158 |         function analayis_reflected_parameter_xss(danger_parameter_list) {
159 |             var result=[];
160 |             
161 |             for (var danger_parameter_list_index in danger_parameter_list) {
162 |                 var analayis_index={};
163 |                 var danger_parameter_index=danger_parameter_list[danger_parameter_list_index];
164 |                 var eval_flag_index=find_first_eval_flag(danger_parameter_index);
165 |                 
166 |                 if (-1!=eval_flag_index) {
167 |                     var eval_flag=danger_parameter_index[eval_flag_index];
168 |                     
169 |                     if ('<'==eval_flag || '>'==eval_flag) {
170 |                         analayis_index['reflected_type']=REFLECTED_XSS_INJECT_DOM;
171 |                         analayis_index['reflected_data']=danger_parameter_index;
172 |                     } else if ('\''==eval_flag || '"'==eval_flag) {
173 |                         analayis_index['reflected_type']=REFLECTED_XSS_INJECT_ELEMENT_OR_JAVASCRIPT;
174 |                         analayis_index['reflected_data']=danger_parameter_index;
175 |                     }
176 |                 }
177 |                 result.push(analayis_index);
178 |             }
179 |             
180 |             return result;
181 |         }
182 |         
183 |         function find_first_eval_flag(parameter_value_string) {
184 |             var flag_single_quotes_index=parameter_value_string.indexOf('\'');
185 |             var flag_quotes_index=parameter_value_string.indexOf('"');
186 |             var flag_less_than_signs_index=parameter_value_string.indexOf('<');
187 |             var flag_right_than_signs_index=parameter_value_string.indexOf('>');
188 |             
189 |             var first_char=-1;
190 |             
191 |             first_char=flag_single_quotes_index;
192 |             
193 |             if (-1==first_char ||
194 |                 first_char>flag_quotes_index)
195 |                 first_char=flag_quotes_index;
196 |             
197 |             if (-1==first_char ||
198 |                 first_char>flag_less_than_signs_index)
199 |                 first_char=flag_less_than_signs_index;
200 |             
201 |             if (-1==first_char ||
202 |                 first_char>flag_right_than_signs_index)
203 |                 first_char=flag_right_than_signs_index;
204 |             
205 |             return first_char;
206 |         }
207 |             
208 |         function check_insert_xss_code(parameter_value_string) {
209 |             if (-1!=find_first_eval_flag(parameter_value_string))
210 |                 return true;
211 |             
212 |             return false;
213 |         }
214 |         
215 |         function check_insert_xss_into_element(reflected_parameter) {
216 |             if (REFLECTED_XSS_INJECT_DOM==reflected_parameter['reflected_type']) {
217 |                 var insert_dom_string=reflected_parameter['reflected_data'];
218 |                 var reg_matching=new RegExp('<\\w+>|<\\w+ |<\\w+\/','g');  
219 |                 /*
220 |                     TIPS :
221 |                     这里针对了<script>,<iframe>,<iframe/src=""/>
222 |                     这样的XSS vector 做了过滤..
223 |                 */
224 |                 var reg_matching_result=insert_dom_string.match(reg_matching);
225 |                 
226 |                 for (var pick_element_tag_name=0;pick_element_tag_name<reg_matching_result.length;++pick_element_tag_name)
227 |                     reg_matching_result[pick_element_tag_name]=reg_matching_result[pick_element_tag_name].substr(1,reg_matching_result[pick_element_tag_name].length-2);
228 | 
229 |                 var build_query_selector_string='';
230 | 
231 |                 for (var pick_element_tag_name=0;pick_element_tag_name<reg_matching_result.length;++pick_element_tag_name)
232 |                     build_query_selector_string+=reg_matching_result[pick_element_tag_name]+' ';
233 | 
234 |                 var search_insert_element_list=document.body.querySelectorAll(build_query_selector_string);
235 | 
236 |                 if (search_insert_element_list.length) {
237 |                     console.log('WARNING ! found reflected DOM XSS ..');
238 |                     return true;
239 |                 }
240 |             } else if (REFLECTED_XSS_INJECT_ELEMENT_OR_JAVASCRIPT==reflected_parameter['reflected_type']) {
241 |                 var insert_element_string=reflected_parameter['reflected_data'];
242 |                 
243 |                 if ('"'==insert_element_string ||
244 |                     '\''==insert_element_string) {
245 |                     /*
246 |                         选择含有' 和" 符号的HTML 元素,一般在XSS 初期测试的时候会通过注入' 和" 号看看能否开闭HTML 属性
247 |                         Example :
248 | 
249 |                         <img src="%input%" />
250 |                                 |  
251 |                                 v
252 |                         正常情况下:<img src="123" />
253 |                         转码情况下:<img src="123&quet" />
254 |                         XSS 成功情况下:<img src="123" " />
255 |                     */
256 |                     var attribute_selector=document.body.querySelectorAll('[\\'+insert_element_string+']');
257 |                     
258 |                     if (attribute_selector.length) {
259 |                         console.log('WARNING ! found reflected Attribute XSS -- Bypass Attribute String closed (" and \')..');
260 |                         return true;
261 |                     }
262 |                 } else {
263 |                     var body_code=document.body.innerHTML;
264 |                     var unencode_index=body_code.indexOf(insert_element_string);
265 |                     var encode_index=body_code.indexOf(insert_element_string.replace(/</g,'%3C').replace(/>/g,'%3E'));
266 |                     /*
267 |                         TIPS: 这种情况还需要注意绕过属性闭合构造DOM XSS 的情况,有可能在插入的时候< > 会被过滤成字符编码..
268 |                         Example:
269 | 
270 |                         " onerror="alert(\'element onerror() xss\');" /><script>alert(\'DOM XSS\');<//script>
271 |                     */
272 |                     
273 |                     if (-1!=unencode_index) {
274 |                         console.log('WARNING ! found reflected Attribute XSS ,unencode insert code ..');
275 |                         return true;
276 |                     } else if (-1!=encode_index) {
277 |                         console.log('WARNING ! found reflected Attribute XSS ,encode insert code ..');
278 |                         return true;
279 |                     }
280 |                     var attribute_list=split_string_space(insert_element_string);  //  使用分割属性的方法来匹配属性插入的元素
281 |                     var valid_query_attribute_name_string='';
282 | 
283 |                     for (var attribute_list_index_=0;attribute_list_index_<attribute_list.length;++attribute_list_index_) {
284 |                         var attribute_list_index=split_url_parameter_value(attribute_list[attribute_list_index_]);
285 | 
286 |                         if (undefined!=attribute_list_index['key'] && 
287 |                            ('"'!=attribute_list_index['key'] || '\''!=attribute_list_index['key']))
288 |                             valid_query_attribute_name_string+='['+attribute_list_index['key']+']';
289 |                     }
290 |                     var query_result=document.querySelectorAll(valid_query_attribute_name_string);
291 | 
292 |                     if (query_result.length) {
293 |                         for (var query_result_index_=0;query_result_index_<query_result.length;++query_result_index_) {
294 |                             var query_result_index=query_result[query_result_index_];
295 |                         }
296 |                         console.log('WARNING ! found reflected Attribute XSS');
297 |                         return true;
298 |                     }
299 |                 }
300 |             }
301 |             return false;
302 |         }
303 |         
304 |         function check_reflected_xss() {
305 |             var url_parameter_list=split_url_parameter_list();
306 |             
307 |             /*
308 |                 反射XSS Payload 集合
309 |                 
310 |                 注入代码到HTML DOM :
311 |                 http://xxx.com/?messages=<script>alert('xss');<//script>
312 |                 http://xxx.com/?messages=<img src='' onerror="alert('xss');" />
313 |                 http://xxx.com/?messages=<iframe src="http://xx.com/" />
314 |                 http://xxx.com/?messages=<a href="javascript:alert('xss');" />
315 |                 http://xxx.com/?messages=<a href="data:text/html,<script>alert('xss');<//script>" />
316 |                 注入代码到HTML Element Attribute 绕过:
317 |                 http://xxx.com/?messages=" /><script>alert('xss')<//script>
318 |                 http://xxx.com/?messages=" onerror="alert('xss');" />
319 |                 注入代码到javascript :
320 |                 http://xxx.com/?messages=';alert('xss');
321 |             
322 |                 由上面的Payload 总结可以知道,反射型XSS 内带有< > " ' 关键字:
323 |                 还有对应的URL Encode 混淆:%3C <  %3E >  %22 "  %27 '
324 |             
325 |                 URL 解析过程:
326 |                 http://xxx.com/a.php?arg=%3CScript%3ealert(%27xss%27);%3C/scRiPt%3e
327 |                                             |
328 |                                 split_url_parameter_list()  
329 |                                             |
330 |                                             v
331 |                         arg=%3CScript%3ealert(%27xss%27);%3C/scRiPt%3e
332 |                                             |
333 |                                         unescape()
334 |                                             |
335 |                                             v
336 |                              arg=<Script>alert('xss');<//scRiPt>
337 |                                             |
338 |                                     URL.toLowerCase()
339 |                                             |
340 |                                             v
341 |                              arg=<script>alert('xss');<//script>
342 |                 
343 |                 最后利用特征在document.querySelector 中发掘..
344 |             */
345 |             
346 |             if (url_parameter_list.length) {
347 |                 var decode_parameter_list=[];
348 |                 var danger_parameter_value_list=[];
349 |                 
350 |                 for (var parameter_index_ in url_parameter_list) {
351 |                     var parameter_index=url_parameter_list[parameter_index_];
352 |                     
353 |                     decode_parameter_list.push(unescape(parameter_index['value']).toLowerCase().trim());
354 |                 }
355 |                 for (var decode_parameter_list_index in decode_parameter_list)
356 |                     if (check_insert_xss_code(decode_parameter_list[decode_parameter_list_index]))
357 |                         danger_parameter_value_list.push(decode_parameter_list[decode_parameter_list_index]);
358 |                 
359 |                 if (danger_parameter_value_list.length) {
360 |                     var reflected_parameter_list=analayis_reflected_parameter_xss(danger_parameter_value_list);
361 |                     
362 |                     for (var reflected_parameter_list_index in reflected_parameter_list) {
363 |                         if (check_insert_xss_into_element(reflected_parameter_list[reflected_parameter_list_index])) {
364 |                             console.log('WARNING reflected XSS ');
365 |                         }
366 |                     }
367 |                 }
368 |             }
369 |             return false;
370 |         }
371 |         
372 |     </script>
373 |     
374 |     <script>
375 |                 
376 |     </script>
377 |    
378 |     <body onload="check_reflected_xss()">
379 |         
380 |         <div id="xss_test_1">
381 |             <!--
382 |                 反射XSS ,直接插入 <script>,<img>,<iframe>,混合插入 <script>,<img>,<iframe> 
383 |                 测试Payload:
384 |                 
385 |                 http://127.0.0.1/xss_test.php?xss_test_1=<script>alert('xss');</script>  --  基本测试
386 |                 http://127.0.0.1/xss_test.php?xss_test_1=<img src="" onerror="alert('xss')" />  --  DOM <img> 元素事件XSS 执行测试
387 |                 http://127.0.0.1/xss_test.php?xss_test_1=<iframe src="http://www.baidu.com" />  --  <iframe> 元素挂马测试
388 |                 http://127.0.0.1/xss_test.php?xss_test_1=<svg>/<script>alert('xss');</script>  --  组合HTML 元素绕过测试
389 |                 http://127.0.0.1/xss_test.php?xss_test_1=<div><a><img src="" onerror="alert('xss')" />  --  混合HTML 元素和img 事件绕过测试
390 |             -->
391 |             <?php
392 |                 if (isset($_GET['xss_test_1']))
393 |                     echo $_GET['xss_test_1'];
394 |             ?>
395 |         </div>
396 |         <div id="xss_test_2">
397 |             <!--
398 |                 反射XSS 混合元素插入,混合属性和事件属性插入 <img> ,<img> 中混合属性和事件属性插入 <script>
399 |                 测试Payload:
400 |                 
401 |                 http://127.0.0.1/xss_test.php?xss_test_2="  --  初期XSS 绕过元素属性闭合测试
402 |                 http://127.0.0.1/xss_test.php?xss_test_2=" onerror="alert('xss');  --  元素事件XSS 测试
403 |                 http://127.0.0.1/xss_test.php?xss_test_2=' " onload="alert('xss');  --  元素事件XSS 误报BUG 测试
404 |                 http://127.0.0.1/xss_test.php?xss_test_2=" alt="change tips";  --  元素XSS 修改非事件属性测试
405 |                 http://127.0.0.1/xss_test.php?xss_test_2=" /><script>alert('xss');</script>  --  绕过元素之外构造DOM XSS 测试
406 |                 http://127.0.0.1/xss_test.php?xss_test_2=123  --  元素XSS 误报测试
407 |             -->
408 |             <?php
409 |                 if (isset($_GET['xss_test_2']))
410 |                     echo '<img src="'.$_GET['xss_test_2'].'" />';
411 |             ?>
412 |         </div>
413 |        
414 |         <div id="xss_test_3"><!-- 储存XSS ,直接插入 <script> -->
415 |            
416 |         </div>
417 |         
418 |     </body>
419 | 
420 | </html>
421 | 


--------------------------------------------------------------------------------