Decoding mechanism from the browser (for XSS encoding bypass)

Language 2020-03-02 21:32:47 views: null

1. Browser approximately workflow

(1) parsing HTML browser

(2) into a DOM node tag, identifying tags, HTML parser does not recognize what entity is encoded, the DOM tree established in order to identify the content of each node

(3) JS DOM API (JS parser) to participate, to modify the DOM tree to change its content. At this time, CSS and external CSS parser parses style tags, together form a rendering tree ==

(4) where CSS prior to constructing the rendering tree, there will be CSS rule tree

(5) After the completion of the layout, using the UI the rear end of the drawing of each node, thereby displaying

In the two resolvers need special attention, namely, an HTML parser, JS parser, the CS parser (not to mention the time being). Because basically XSS codec payload to rely on these two to take advantage of.

 

2. parser

  • HTML parser

Effects: Constructs DOM tree node content parsing

 

  • JS parser

Action: in the processing script, style tag, JS parser parsing mode is automatically switched, and the src, href later added pseudo-protocol will enter JS JS parsing mode. When entering this mode, DOM has been established

 

3. Case (All tests were conducted in firefox browser)

1. During parsing HTML, HTML coding entity automatically decodes

<a href="&#106;avascript:alert('1')">test</a>

 

 

Click test the normal pop. In this case, the same effect encoding format:

(1) HTML entity encoding: & # 106;

(2) hex: & # x6a;

(3) metric: & # 106

(4) supports a digital high portion added 0, & # 00000000106 (& # 00000000106;)

 

2.JS resolve

<a href="javascript:alert('\u0061')">test</a>

 

 

Click the pop-up test a, conducted Unicode decoding. In this case the same effect encoding format:

(1) Unicode format: \ u0061

(2) in hexadecimal format: \ x61

(3) octal format: \ 141

 

4. Summary

Whether or JS parsing HTML parsing, all its character portion is operated, for example, <a href="javascript:alert('\u0061')"> test </a>, the double quotation marks "" the contents inside HTML tags belonging to a character portion; single quotes '' which belongs to the contents of the character portion JS.

Therefore: when the browser of a label parsing, first javascript: alert ( '\ u0061' ) once HTML decoder processing After \ u0061 once JS decoder processes to obtain the final result will be displayed <a href = "javascript: alert ( 'a ')"> test </a>

xkx518
Published 10 original articles · won praise 5 · Views 2992
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_36896220/article/details/104618130
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com