日常测试的时候遇到的一个case,存在XSS漏洞,但是WAF把 onload,onerror,onstart等常用的on属性都过滤了。
通过搜索,找到一段遍历所有on属性的代码
let results = []
for (let i in document){
if(i.startsWith("on")){
results.push(i)
}
}
console.log(results)
localStorage.onAttrs=JSON.stringify(results)
["onreadystatechange","onpointerlockchange","onpointerlockerror","onbeforecopy","onbeforecut","onbeforepaste","onfreeze","onresume","onsearch","onvisibilitychange","onfullscreenchange","onfullscreenerror","onwebkitfullscreenchange","onwebkitfullscreenerror","onbeforexrselect","onabort","onblur","oncancel","oncanplay","oncanplaythrough","onchange","onclick","onclose","oncontextlost","oncontextmenu","oncontextrestored","oncuechange","ondblclick","ondrag","ondragend","ondragenter","ondragleave","ondragover","ondragstart","ondrop","ondurationchange","onemptied","onended","onerror","onfocus","onformdata","oninput","oninvalid","onkeydown","onkeypress","onkeyup","onload","onloadeddata","onloadedmetadata","onloadstart","onmousedown","onmouseenter","onmouseleave","onmousemove","onmouseout","onmouseover","onmouseup","onmousewheel","onpause","onplay","onplaying","onprogress","onratechange","onreset","onresize","onscroll","onsecuritypolicyviolation","onseeked","onseeking","onselect","onslotchange","onstalled","onsubmit","onsuspend","ontimeupdate","ontoggle","onvolumechange","onwaiting","onwebkitanimationend","onwebkitanimationiteration","onwebkitanimationstart","onwebkittransitionend","onwheel","onauxclick","ongotpointercapture","onlostpointercapture","onpointerdown","onpointermove","onpointerup","onpointercancel","onpointerover","onpointerout","onpointerenter","onpointerleave","onselectstart","onselectionchange","onanimationend","onanimationiteration","onanimationstart","ontransitionrun","ontransitionstart","ontransitionend","ontransitioncancel","oncopy","oncut","onpaste","onpointerrawupdate"]
on属性的相关利用方式:
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
