使用油猴脚本Hook前端危险生成函数 - 技术文档<\/h1>

1. 背景与问题描述<\/h2>

在Web安全研究中，当发现XSS漏洞时，通常需要定位导致漏洞的生成函数。常规流程是：<\/p>

找到触发XSS的DOM节点<\/li>

通过节点特征(类名、属性等)全局搜索生成这些特征的函数<\/li> <\/ol>

但有时会遇到特殊情况：<\/p>

页面中没有明显的onerror=alert(1)<\/code>等特征节点<\/li>

可能是通过临时函数或类似eval<\/code>的动态方式生成的XSS<\/li>
<\/ul>
2. Hook技术原理<\/h2>
2.1 基本Hook方法<\/h3>
JavaScript中可以通过重写原生函数来实现Hook：<\/p>
let<\/span> myalert<\/span> =<\/span> window.alert<\/span>; \/\/ 保存原始alert函数
<\/span><\/span><\/span><\/span>window.alert<\/span> =<\/span> function<\/span>(fx<\/span>) {
<\/span><\/span>    myalert<\/span>(fx<\/span>); \/\/ 调用原始alert
<\/span><\/span><\/span><\/span>    \/\/ 可以在此处添加调试逻辑
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>这种方法的优势：<\/p>

将native函数转换为可调试的JavaScript函数<\/li>
可以在调用时插入调试逻辑<\/li>
能够追踪调用栈<\/li>
<\/ul>
2.2 Hook的应用场景<\/h3>

定位XSS生成函数<\/li>
分析动态代码执行路径<\/li>
调试难以追踪的安全漏洞<\/li>
<\/ol>
3. 油猴脚本实现<\/h2>
3.1 油猴脚本简介<\/h3>
油猴(Tampermonkey)是一个浏览器插件，允许用户自定义JavaScript脚本在特定页面运行。<\/p>
3.2 关键指令 - @run-at<\/h3>
油猴脚本的执行时机由@run-at<\/code>指令控制：<\/p>



值<\/th>
描述<\/th>
<\/tr>
<\/thead>


document-start<\/td>
脚本尽可能早地注入<\/td>
<\/tr>

document-body<\/td>
body元素存在时注入<\/td>
<\/tr>

document-end<\/td>
DOMContentLoaded事件时或之后注入(默认)<\/td>
<\/tr>

document-idle<\/td>
DOMContentLoaded事件后注入<\/td>
<\/tr>

context-menu<\/td>
通过浏览器上下文菜单注入<\/td>
<\/tr>
<\/tbody>
<\/table>
3.3 实现早期Hook<\/h3>
要实现比页面代码更早的Hook，必须使用：<\/p>
\/\/ ==UserScript==
<\/span><\/span><\/span>\/\/ @name         Early Hook Example
<\/span><\/span><\/span>\/\/ @namespace    http:\/\/tampermonkey.net\/
<\/span><\/span><\/span>\/\/ @version      0.1
<\/span><\/span><\/span>\/\/ @description  Hook example with early injection
<\/span><\/span><\/span>\/\/ @author       You
<\/span><\/span><\/span>\/\/ @match        *:\/\/*\/*
<\/span><\/span><\/span>\/\/ @run-at       document-start
<\/span><\/span><\/span>\/\/ ==\/UserScript==
<\/span><\/span><\/span><\/span>
<\/span><\/span>(function<\/span>() {
<\/span><\/span>    'use strict'<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ Hook代码放在这里
<\/span><\/span><\/span><\/span>})();
<\/span><\/span><\/code><\/pre>4. 完整Hook实现示例<\/h2>
4.1 对alert的Hook实现<\/h3>
\/\/ ==UserScript==
<\/span><\/span><\/span>\/\/ @name         XSS Generator Hook
<\/span><\/span><\/span>\/\/ @namespace    http:\/\/tampermonkey.net\/
<\/span><\/span><\/span>\/\/ @version      0.1
<\/span><\/span><\/span>\/\/ @description  Hook alert to trace XSS generators
<\/span><\/span><\/span>\/\/ @author       You
<\/span><\/span><\/span>\/\/ @match        *:\/\/*\/*
<\/span><\/span><\/span>\/\/ @run-at       document-start
<\/span><\/span><\/span>\/\/ @grant        none
<\/span><\/span><\/span>\/\/ ==\/UserScript==
<\/span><\/span><\/span><\/span>
<\/span><\/span>(function<\/span>() {
<\/span><\/span>    'use strict'<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 保存原始alert函数
<\/span><\/span><\/span><\/span>    const<\/span> originalAlert<\/span> =<\/span> window.alert<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 重写alert函数
<\/span><\/span><\/span><\/span>    window.alert<\/span> =<\/span> function<\/span>(message<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>('Alert triggered with message:'<\/span>, message<\/span>);
<\/span><\/span>        console<\/span>.trace<\/span>(); \/\/ 打印调用栈
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        \/\/ 调用原始alert
<\/span><\/span><\/span><\/span>        return<\/span> originalAlert<\/span>.apply<\/span>(this<\/span>, arguments<\/span>);
<\/span><\/span>    };
<\/span><\/span>})();
<\/span><\/span><\/code><\/pre>4.2 对console的Hook实现(用于脱敏示例)<\/h3>
\/\/ ==UserScript==
<\/span><\/span><\/span>\/\/ @name         Console Hook Example
<\/span><\/span><\/span>\/\/ @namespace    http:\/\/tampermonkey.net\/
<\/span><\/span><\/span>\/\/ @version      0.1
<\/span><\/span><\/span>\/\/ @description  Hook console.log for demonstration
<\/span><\/span><\/span>\/\/ @author       You
<\/span><\/span><\/span>\/\/ @match        *:\/\/*\/*
<\/span><\/span><\/span>\/\/ @run-at       document-start
<\/span><\/span><\/span>\/\/ @grant        none
<\/span><\/span><\/span>\/\/ ==\/UserScript==
<\/span><\/span><\/span><\/span>
<\/span><\/span>(function<\/span>() {
<\/span><\/span>    'use strict'<\/span>;
<\/span><\/span>    
<\/span><\/span>    const<\/span> originalConsoleLog<\/span> =<\/span> console<\/span>.log<\/span>;
<\/span><\/span>    
<\/span><\/span>    console<\/span>.log<\/span> =<\/span> function<\/span>() {
<\/span><\/span>        console<\/span>.log<\/span>('Console.log was called with:'<\/span>, arguments<\/span>);
<\/span><\/span>        console<\/span>.trace<\/span>();
<\/span><\/span>        
<\/span><\/span>        return<\/span> originalConsoleLog<\/span>.apply<\/span>(console<\/span>, arguments<\/span>);
<\/span><\/span>    };
<\/span><\/span>})();
<\/span><\/span><\/code><\/pre>5. 调试技巧<\/h2>


调试油猴脚本<\/strong>：<\/p>

在浏览器开发者工具中，转到"Sources"标签<\/li>
找到"Tampermonkey"部分<\/li>
选择正在运行的油猴脚本进行调试<\/li>
<\/ul>
<\/li>

分析调用栈<\/strong>：<\/p>

在Hook函数中使用console.trace()<\/code><\/li>
通过调用栈追踪到原始调用位置<\/li>
可以设置断点进行逐步调试<\/li>
<\/ul>
<\/li>

刷新页面<\/strong>：<\/p>

确保Hook脚本已正确注入后刷新页面<\/li>
观察控制台输出和调用栈<\/li>
<\/ul>
<\/li>
<\/ol>
6. 实际应用场景<\/h2>


定位XSS生成函数<\/strong>：<\/p>

当XSS触发alert但无显式事件处理器时<\/li>
通过Hook alert找到调用源头<\/li>
<\/ul>
<\/li>

分析动态代码执行<\/strong>：<\/p>

追踪eval、setTimeout、setInterval等动态代码执行<\/li>
分析Function构造函数调用<\/li>
<\/ul>
<\/li>

逆向工程<\/strong>：<\/p>

理解复杂前端框架的执行流程<\/li>
分析混淆代码的实际行为<\/li>
<\/ul>
<\/li>
<\/ol>
7. 注意事项<\/h2>


脚本执行顺序<\/strong>：<\/p>

确保使用@run-at document-start<\/code>以获得最早执行时机<\/li>
注意与其他脚本的潜在冲突<\/li>
<\/ul>
<\/li>

性能影响<\/strong>：<\/p>

频繁的Hook调用可能影响页面性能<\/li>
生产环境慎用<\/li>
<\/ul>
<\/li>

浏览器兼容性<\/strong>：<\/p>

不同浏览器对native函数Hook的支持可能不同<\/li>
测试主要目标浏览器<\/li>
<\/ul>
<\/li>

道德与法律<\/strong>：<\/p>

仅用于授权测试<\/li>
遵守相关法律法规<\/li>
<\/ul>
<\/li>
<\/ol>
8. 扩展应用<\/h2>


Hook其他关键函数<\/strong>：<\/p>
\/\/ Hook eval
<\/span><\/span><\/span><\/span>const<\/span> originalEval<\/span> =<\/span> window.eval;
<\/span><\/span>window.eval =<\/span> function<\/span>(code<\/span>) {
<\/span><\/span>    console<\/span>.log<\/span>('Eval called with:'<\/span>, code<\/span>);
<\/span><\/span>    return<\/span> originalEval<\/span>.apply<\/span>(this<\/span>, arguments<\/span>);
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ Hook document.write
<\/span><\/span><\/span><\/span>const<\/span> originalWrite<\/span> =<\/span> document.write<\/span>;
<\/span><\/span>document.write<\/span> =<\/span> function<\/span>(html<\/span>) {
<\/span><\/span>    console<\/span>.log<\/span>('document.write called with:'<\/span>, html<\/span>);
<\/span><\/span>    return<\/span> originalWrite<\/span>.apply<\/span>(document, arguments<\/span>);
<\/span><\/span>};
<\/span><\/span><\/code><\/pre><\/li>

条件Hook<\/strong>：<\/p>

只在特定条件下触发Hook逻辑<\/li>
减少不必要的性能开销<\/li>
<\/ul>
<\/li>

多函数联合Hook<\/strong>：<\/p>

同时Hook多个相关函数<\/li>
分析它们之间的调用关系<\/li>
<\/ul>
<\/li>
<\/ol>
通过这种技术，安全研究人员可以有效地追踪和分析前端代码中的潜在安全风险，特别是那些难以通过静态分析发现的动态生成漏洞。<\/p>

值<\/th>	描述<\/th> <\/tr> <\/thead>
document-start<\/td>	脚本尽可能早地注入<\/td> <\/tr>
document-body<\/td>	body元素存在时注入<\/td> <\/tr>
document-end<\/td>	DOMContentLoaded事件时或之后注入(默认)<\/td> <\/tr>
document-idle<\/td>	DOMContentLoaded事件后注入<\/td> <\/tr>
context-menu<\/td>	通过浏览器上下文菜单注入<\/td> <\/tr> <\/tbody> <\/table> 3.3 实现早期Hook<\/h3> 要实现比页面代码更早的Hook，必须使用：<\/p> \/\/ ==UserScript== <\/span><\/span><\/span>\/\/ @name Early Hook Example <\/span><\/span><\/span>\/\/ @namespace http:\/\/tampermonkey.net\/ <\/span><\/span><\/span>\/\/ @version 0.1 <\/span><\/span><\/span>\/\/ @description Hook example with early injection <\/span><\/span><\/span>\/\/ @author You <\/span><\/span><\/span>\/\/ @match :\/\/\/* <\/span><\/span><\/span>\/\/ @run-at document-start <\/span><\/span><\/span>\/\/ ==\/UserScript== <\/span><\/span><\/span><\/span> <\/span><\/span>(function<\/span>() { <\/span><\/span> 'use strict'<\/span>; <\/span><\/span> <\/span><\/span> \/\/ Hook代码放在这里 <\/span><\/span><\/span><\/span>})(); <\/span><\/span><\/code><\/pre>4. 完整Hook实现示例<\/h2> 4.1 对alert的Hook实现<\/h3> \/\/ ==UserScript== <\/span><\/span><\/span>\/\/ @name XSS Generator Hook <\/span><\/span><\/span>\/\/ @namespace http:\/\/tampermonkey.net\/ <\/span><\/span><\/span>\/\/ @version 0.1 <\/span><\/span><\/span>\/\/ @description Hook alert to trace XSS generators <\/span><\/span><\/span>\/\/ @author You <\/span><\/span><\/span>\/\/ @match :\/\/\/* <\/span><\/span><\/span>\/\/ @run-at document-start <\/span><\/span><\/span>\/\/ @grant none <\/span><\/span><\/span>\/\/ ==\/UserScript== <\/span><\/span><\/span><\/span> <\/span><\/span>(function<\/span>() { <\/span><\/span> 'use strict'<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 保存原始alert函数 <\/span><\/span><\/span><\/span> const<\/span> originalAlert<\/span> =<\/span> window.alert<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 重写alert函数 <\/span><\/span><\/span><\/span> window.alert<\/span> =<\/span> function<\/span>(message<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('Alert triggered with message:'<\/span>, message<\/span>); <\/span><\/span> console<\/span>.trace<\/span>(); \/\/ 打印调用栈 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 调用原始alert <\/span><\/span><\/span><\/span> return<\/span> originalAlert<\/span>.apply<\/span>(this<\/span>, arguments<\/span>); <\/span><\/span> }; <\/span><\/span>})(); <\/span><\/span><\/code><\/pre>4.2 对console的Hook实现(用于脱敏示例)<\/h3> \/\/ ==UserScript== <\/span><\/span><\/span>\/\/ @name Console Hook Example <\/span><\/span><\/span>\/\/ @namespace http:\/\/tampermonkey.net\/ <\/span><\/span><\/span>\/\/ @version 0.1 <\/span><\/span><\/span>\/\/ @description Hook console.log for demonstration <\/span><\/span><\/span>\/\/ @author You <\/span><\/span><\/span>\/\/ @match :\/\/\/* <\/span><\/span><\/span>\/\/ @run-at document-start <\/span><\/span><\/span>\/\/ @grant none <\/span><\/span><\/span>\/\/ ==\/UserScript== <\/span><\/span><\/span><\/span> <\/span><\/span>(function<\/span>() { <\/span><\/span> 'use strict'<\/span>; <\/span><\/span> <\/span><\/span> const<\/span> originalConsoleLog<\/span> =<\/span> console<\/span>.log<\/span>; <\/span><\/span> <\/span><\/span> console<\/span>.log<\/span> =<\/span> function<\/span>() { <\/span><\/span> console<\/span>.log<\/span>('Console.log was called with:'<\/span>, arguments<\/span>); <\/span><\/span> console<\/span>.trace<\/span>(); <\/span><\/span> <\/span><\/span> return<\/span> originalConsoleLog<\/span>.apply<\/span>(console<\/span>, arguments<\/span>); <\/span><\/span> }; <\/span><\/span>})(); <\/span><\/span><\/code><\/pre>5. 调试技巧<\/h2> 调试油猴脚本<\/strong>：<\/p> 在浏览器开发者工具中，转到"Sources"标签<\/li> 找到"Tampermonkey"部分<\/li> 选择正在运行的油猴脚本进行调试<\/li> <\/ul> <\/li> 分析调用栈<\/strong>：<\/p> 在Hook函数中使用console.trace()<\/code><\/li> 通过调用栈追踪到原始调用位置<\/li> 可以设置断点进行逐步调试<\/li> <\/ul> <\/li> 刷新页面<\/strong>：<\/p> 确保Hook脚本已正确注入后刷新页面<\/li> 观察控制台输出和调用栈<\/li> <\/ul> <\/li> <\/ol> 6. 实际应用场景<\/h2> 定位XSS生成函数<\/strong>：<\/p> 当XSS触发alert但无显式事件处理器时<\/li> 通过Hook alert找到调用源头<\/li> <\/ul> <\/li> 分析动态代码执行<\/strong>：<\/p> 追踪eval、setTimeout、setInterval等动态代码执行<\/li> 分析Function构造函数调用<\/li> <\/ul> <\/li> 逆向工程<\/strong>：<\/p> 理解复杂前端框架的执行流程<\/li> 分析混淆代码的实际行为<\/li> <\/ul> <\/li> <\/ol> 7. 注意事项<\/h2> 脚本执行顺序<\/strong>：<\/p> 确保使用@run-at document-start<\/code>以获得最早执行时机<\/li> 注意与其他脚本的潜在冲突<\/li> <\/ul> <\/li> 性能影响<\/strong>：<\/p> 频繁的Hook调用可能影响页面性能<\/li> 生产环境慎用<\/li> <\/ul> <\/li> 浏览器兼容性<\/strong>：<\/p> 不同浏览器对native函数Hook的支持可能不同<\/li> 测试主要目标浏览器<\/li> <\/ul> <\/li> 道德与法律<\/strong>：<\/p> 仅用于授权测试<\/li> 遵守相关法律法规<\/li> <\/ul> <\/li> <\/ol> 8. 扩展应用<\/h2> Hook其他关键函数<\/strong>：<\/p> \/\/ Hook eval <\/span><\/span><\/span><\/span>const<\/span> originalEval<\/span> =<\/span> window.eval; <\/span><\/span>window.eval =<\/span> function<\/span>(code<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('Eval called with:'<\/span>, code<\/span>); <\/span><\/span> return<\/span> originalEval<\/span>.apply<\/span>(this<\/span>, arguments<\/span>); <\/span><\/span>}; <\/span><\/span> <\/span><\/span>\/\/ Hook document.write <\/span><\/span><\/span><\/span>const<\/span> originalWrite<\/span> =<\/span> document.write<\/span>; <\/span><\/span>document.write<\/span> =<\/span> function<\/span>(html<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('document.write called with:'<\/span>, html<\/span>); <\/span><\/span> return<\/span> originalWrite<\/span>.apply<\/span>(document, arguments<\/span>); <\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> 条件Hook<\/strong>：<\/p> 只在特定条件下触发Hook逻辑<\/li> 减少不必要的性能开销<\/li> <\/ul> <\/li> 多函数联合Hook<\/strong>：<\/p> 同时Hook多个相关函数<\/li> 分析它们之间的调用关系<\/li> <\/ul> <\/li> <\/ol> 通过这种技术，安全研究人员可以有效地追踪和分析前端代码中的潜在安全风险，特别是那些难以通过静态分析发现的动态生成漏洞。<\/p>

使用油猴脚本Hook前端危险生成函数 - 技术文档<\/h1>

2. Hook技术原理<\/h2>

3. 油猴脚本实现<\/h2>

3.1 油猴脚本简介<\/h3> 油猴(Tampermonkey)是一个浏览器插件，允许用户自定义JavaScript脚本在特定页面运行。<\/p>

4. 完整Hook实现示例<\/h2>

3.1 油猴脚本简介<\/h3>
油猴(Tampermonkey)是一个浏览器插件，允许用户自定义JavaScript脚本在特定页面运行。<\/p>