search

neraliu / tainted-phantomjs

Tainted PhantomJS
BSD 3-Clause "New" or "Revised" License
53 stars 12 forks source link

Not deject xss problem #29

Open timeisflowing opened 10 years ago

timeisflowing commented 10 years ago
document.write(document.location.hash); working [Sat, 12 Jul 2014 00:02:51 GMT] [TPJS] [RESULT] document.tainted? true [Sat, 12 Jul 2014 00:02:51 GMT] [TPJS] [RESULT] document.onAlert? true [Sat, 12 Jul 2014 00:02:51 GMT] [TPJS] [RESULT] document.domxss.vulnerable? true [Sat, 12 Jul 2014 00:02:51 GMT] [TPJS] [RESULT] This page http://localhost:78/kbx/domxsstest/document_write_hash.html?1405123371042&#%3Cscript%3Ealert(0)%3B%3C%2Fscript%3E is vulnerable to DOMXSS. The untrusted input can be injected into the DOM of the page and trigger javascript execution. (Please note that some broswers may not be vulnerable as it has builtin XSS defense, for example Chrome has its own XSS filter and FF has autoescape on location.href. Please try all supported grade A browsers Chrome/FF/IE/Safari). working [Sat, 12 Jul 2014 00:03:39 GMT] [TPJS] [RESULT] document.tainted? true [Sat, 12 Jul 2014 00:03:39 GMT] [TPJS] [RESULT] document.onAlert? true [Sat, 12 Jul 2014 00:03:39 GMT] [TPJS] [RESULT] document.domxss.vulnerable? true [Sat, 12 Jul 2014 00:03:39 GMT] [TPJS] [RESULT] This page http://localhost:78/kbx/domxsstest/innerhtml_hash.html?1405123419142&#%3Cimg%20src%3D%22%22%20onerror%3D%22alert(0)%22%3E is vulnerable to DOMXSS. The untrusted input can be injected into the DOM of the page and trigger javascript execution. (Please note that some broswers may not be vulnerable as it has builtin XSS defense, for example Chrome has its own XSS filter and FF has autoescape on location.href. Please try all supported grade A browsers Chrome/FF/IE/Safari) Hello!
The data inside of foo div is:
default foo
YUI().use("console", "node", function(Y) { var foo = Y.one("#foo"); foo.setHTML(document.location.hash); }); not working not deject [Sat, 12 Jul 2014 00:05:13 GMT] [TPJS] [RESULT] document.tainted? false [Sat, 12 Jul 2014 00:05:13 GMT] [TPJS] [RESULT] document.onAlert? false [Sat, 12 Jul 2014 00:05:13 GMT] [TPJS] [RESULT] document.domxss.vulnerable? false [Sat, 12 Jul 2014 00:05:13 GMT] [TPJS] [RESULT] http://localhost:78/kbx/domxsstest/yuinode_hash.html?1405123513292&#%3Cimg%20src%3Dzero%20onerror%3Dalert(0)%3E is not DOMXSS vulnerable. but here there xss #img src=zero onerror=alert(0)> $("body").append(document.location.hash); working [Sat, 12 Jul 2014 00:07:33 GMT] [TPJS] [RESULT] document.tainted? true [Sat, 12 Jul 2014 00:07:33 GMT] [TPJS] [RESULT] document.onAlert? true [Sat, 12 Jul 2014 00:07:33 GMT] [TPJS] [RESULT] document.domxss.vulnerable? true [Sat, 12 Jul 2014 00:07:33 GMT] [TPJS] [RESULT] This page http://localhost:78/kbx/domxsstest/jquery_append_hash.html?1405123653871&#%3Cscript%3Ealert(0)%3B%3C%2Fscript%3E is vulnerable to DOMXSS. The untrusted input can be injected into the DOM of the page and trigger javascript execution. (Please note that some broswers may not be vulnerable as it has builtin XSS defense, for example Chrome has its own XSS filter and FF has autoescape on location.href. Please try all supported grade A browsers Chrome/FF/IE/Safari). What to do problem?
neraliu commented 10 years ago

hello

do u have the source code of the web page that i can further investigate on it?

thanks nera

timeisflowing commented 10 years ago

http://pastebin.com/cwPEn5qK not very stable, but works manually img src=zero onerror=alert(1) working