Metnew/uxss-db

GitHub: Metnew/uxss-db

一个收录了主流浏览器通用跨站脚本（UXSS）和同源策略绕过漏洞的综合性数据库及研究资料库。

Stars: 702 | Forks: 84

# uxss-db 🔪 - [uxss-db 🔪](#uxss-db-%F0%9F%94%AA) - [简介](#intro) - [Webkit](#webkit) - [Chromium](#chromium) - [IE/Edge](#ieedge) - [文章](#articles) - [白皮书](#whitepapers) - [浏览器黑客指南与设计文档](#browser-hacking-guides-and-design-docs) - [Firefox](#firefox) - [Tor](#tor) - [Brave](#brave) - [Chromium](#chromium) - [Webkit](#webkit) - [Electron](#electron) - [规范](#specs) - [赏金计划](#bounties) - [杂项](#misc) - [脚本](#scripts) - [作者](#author) - [许可证](#license) - [待办事项](#todo) **受 [`js-vuln-db`](https://github.com/tunz/js-vuln-db) 启发** 关于**内存** Bug、漏洞利用及其他内容：请查看 [`awesome-browser-exploit`](https://github.com/Escapingbug/awesome-browser-exploit) ## 简介 * [什么是 UXSS？](https://www.acunetix.com/blog/articles/universal-cross-site-scripting-uxss/) * [什么是 SOP？](https://en.wikipedia.org/wiki/Same-origin_policy) * [什么是 CORS？](https://developer.mozilla.org/ru/docs/Web/HTTP/CORS) 部分 CVE 编号未找到： * **0-$$$$** - [google project zero tracker](https://bugs.chromium.org/p/project-zero/issues/list) 中 ID 为 _$$$$_ 的问题 * **cr-$$$$** - [Chromium tracker](https://bugs.chromium.org/p/chromium/issues/list) 中 ID 为 _$$$$_ 的问题 * **some-bug** - 该漏洞没有 CVE 或 CVE 未知 _如果报告中未附带受影响的版本，版本字段将带有 "?" 符号_ **注意：许多 CVE 未列在下方的表格中！** *请检查 `/other` 文件夹，其中包含针对较冷门浏览器的未分类/未知/重复的 CVE 和漏洞* ## Webkit | CVE/id | title | version | date | | ------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------- | ------------ | | [CVE-2017-7089](https://github.com/Bo0oM/CVE-2017-7089) | UXSS via `parent-tab://` | 10? | Sep 20, 2017 | | [CVE-2017-7037](./webkit/CVE-2017-7037) | UXSS via `JSObject::putInlineSlow` and `JSValue::putToPrimitive` | 10? | Mar 10 2017 | | [0-1197](./webkit/0-1197) | WebKit: UXSS via `CachedFrameBase::restore` | 10? | Mar 17 2017 | | [CVE-2017-2528](./webkit/CVE-2017-2528) | UXSS: `CachedFrame` doesn't detach openers | 10? | Mar 10 2017 | | [0-1163](./webkit/0-1163) | UXSS via `Document::prepareForDestruction` and CachedFrame | 10? | Mar 3 2017 | | [CVE-2017-2510](./webkit/CVE-2017-2510) | UXSS: `enqueuePageshowEvent` and `enqueuePopstateEvent` don't enqueue, but dispatch | 10? | Feb 27 2017 | | [CVE-2017-2508](./webkit/CVE-2017-2508) | UXSS via `ContainerNode::parserInsertBefore` | 10? | Feb 24 2017 | | [0-1134](./webkit/0-1134) | UXSS via `ContainerNode::parserRemoveChild` (2) | 10? | Feb 17 2017 | | [0-1132](./webkit/0-1132) | UXSS: the patch of #1110 made another bug | 10 | Feb 16 2017 | | [CVE-2017-2504](./webkit/CVE-2017-2504) | UXSS via `Editor::Command::execute` | 10.0.3 | Feb 16 2017 | | [CVE-2017-2493](./webkit/CVE-2017-2493) | UXSS through `HTMLObjectElement::updateWidget` | 10.0.3 | Feb 9 2017 | | [CVE-2017-2480](./webkit/CVE-2017-2480) | UXSS via a synchronous page load | 10.0.3 | Feb 9 2017 | | [CVE-2017-2479](./webkit/CVE-2017-2479) | UXSS via a focus event and a link element | 10.0.3 | Feb 9 2017 | | [CVE-2017-2475](./webkit/CVE-2017-2475) | UXSS via `ContainerNode::parserRemoveChild` | 10.0.3 | Feb 2 2017 | | [CVE-2017-2468](./webkit/CVE-2017-2468) | Use-After-Free via `Document::adoptNode` | 10.0.3 | Jan 23 2017 | | [0-1094](./webkit/0-1094) | UXSS via `operationSpreadGeneric` | 10.0.2 | Jan 20 2017 | | [0-1084](./webkit/0-1084) | UXSS via `PrototypeMap::createEmptyStructure` | 10.0.2 | Jan 17 2017 | | [CVE-2017-2445](./webkit/CVE-2017-2445) | UXSS via `disconnectSubframes` | 10.0.2 | Jan 9 2017 | | [CVE-2017-2442](./webkit/CVE-2017-2442) | UXSS with `JSCallbackData` | 10.0.2 | Jan 3 2017 | | [CVE-2017-2367](./webkit/CVE-2017-2367) | UXSS by accessing a named property from an unloaded window | 10.0.2 | Dec 23 2016 | | [CVE-2017-2365](./webkit/CVE-2017-2365) | UXSS via `Frame::setDocument` | 10.0.2 | Dec 20 2016 | | [CVE-2017-2364](./webkit/CVE-2017-2364) | UXSS via `Frame::setDocument` (1). | 10.0.2 | Dec 20 2016 | | [CVE-2017-2363](./webkit/CVE-2017-2363) | UXSS via `FrameLoader::clear` | 10.0.2 | Dec 19 2016 | ## Chromium | CVE/id | title | version | date | | ------------------------------------------------------- | ------------------------------------------------------------------------------ | ----------- | ----------- | | [CVE-2018-6128](./chrome/CVE-2018-6128) | UXSS via URL parsing bug | 66 | May 9 2018 | | [CVE-2017-5124](https://github.com/Bo0oM/CVE-2017-5124) | UXSS with MHTML | 61 | Oct 20 2017 | | [cr-687844](./chrome/cr-687844) | `window.external` leaks global object + cross origin script access | 57 | Feb 2 2017 | | [CVE-2017-5007](./chrome/CVE-2017-5007) | UXSS through bypassing `ScopedPageSuspender` with closing windows | 55 | Dec 5 2016 | | [cr-656274](./chrome/cr-656274) | Cross-origin object leak via `fetch` | 56 (canary) | Oct 15 2016 | | [cr-594383](./chrome/cr-594383) | UXSS via `window.open()` via `file://` pages | 54 | Oct 15 2016 | | [CVE-2016-5207](./chrome/CVE-2016-5207) | UXSS via fullscreen element updates | 54 | Oct 14 2016 | | [CVE-2016-5204](./chrome/CVE-2016-5204) | UXSS by intercepting a UA shadow tree | 52 | Jul 24 2016 | | [CVE-2016-1676](./chrome/CVE-2016-1676) | Persistent UXSS via `SchemaRegistry` | 50 | Apr 19 2016 | | [CVE-2016-1667](./chrome/CVE-2016-1667) | UXSS through adopting image elements | 50 | Apr 21 2016 | | [CVE-2016-1674](./chrome/CVE-2016-1674) | UXSS via the interception of `Binding` with `Object.prototype.create` | 49 | Mar 26 2016 | | [CVE-2016-1673](./chrome/CVE-2016-1673) | UXSS using a `FrameNavigationDisabler` bypass | 49 | Mar 24 2016 | | [cr-583445]('./chrome/cr-583445') | UXSS in `DocumentLoader::createWriterFor` | 48 | Feb 2 2016 | | [CVE-2016-1631](./chrome/CVE-2016-1631) | UXSS using Flash message loop | 47 | Dec 14 2015 | | [CVE-2015-6770](./chrome/CVE-2015-6770) | UXSS using `document.adoptNode` | 45 | Oct 8 2015 | | [CVE-2015-6769](./chrome/CVE-2015-6769) | UXSS via the `unload_event` module | 45 | Sep 22 2015 | | [CVE-2015-6765](./chrome/CVE-2015-6765) | UXSS via `ContainerNode::parserInsertBefore` | 44 | Aug 11 2015 | | [CVE-2015-1268](./chrome/CVE-2015-1268) | UXSS using IDBKeyRange static methods | 43 | May 31 2015 | | [CVE-2014-1747](./chrome/CVE-2014-1747) | UXSS via local MHTML files | 35 | Dec 25 2013 | | [CVE-2014-1701](./chrome/CVE-2014-1701) | UXSS via `dispatchEvent` on iframes | 32 | Feb 11 2014 | | [CVE-2011-2856](./chrome/CVE-2011-2856) | Arbitrary cross-origin bypass using `__defineGetter__` prototype override | 15 | Aug 18 2011 | | [CVE-2011-3243](./chrome/CVE-2011-3243) | Universal XSS using `contentWindow.eval` | 12 | May 24 2011 | | [CVE-2011-1438](./chrome/CVE-2011-1438) | bypass SOP with `blob:` | 11 | Mar 2 2011 | | [cr-74372]('./chrome/cr-74372') | `chrome://blob-internals/` XSS | 11 | Feb 28 2011 | | [cr-37383]('./chrome/cr-37383') | `javascript:` url with a leading NULL byte can bypass cross origin protection. | ? | Mar 4 2010 | ## IE/Edge | CVE/id | version/date | reporter | | ---------------------------------------------------------------------------------------------------------------- | ------------ | -------- | | [CVE-2015-0072](https://github.com/dbellavista/uxss-poc), [alternative PoC](https://github.com/wjessop/UXSS_PoC) | | | ## 文章 * (俄语) [Комикс о UXSS в Safari и Chrome](https://bo0om.ru/chrome-and-safari-uxss) - CVE-2017-5124 + CVE-2017-7089 * [Analysis on Internet Explorer's UXSS](https://blog.innerht.ml/ie-uxss/) - CVE-2015-0072 * [Universal XSS via Evernote WebClipper](https://blog.xpnsec.com/evernote-webclipper-uxss/) * [Mobile Browsers Security: iOS](https://www.syscan360.org/slides/2014_EN_MobileBrowsersSecurityiOS_LukaszPilorzPawelWylecial.pdf) * [SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge)](https://www.brokenbrowser.com/sop-bypass-uxss-stealing-credentials-pretty-fast/) - May 10, 2017 * [Grabbing data from Inputs and Textareas (Edge/IE)](https://www.brokenbrowser.com/grabdatafrominput/) - Aug 28, 2016 * [Exploring and Exploiting iOS Web Browsers](http://bofh.nikhef.nl/events/HitB/hitb-2014-amsterdam/praatjes/D2T2-Exploring-and-Exploiting-iOS-Web-Browsers.pdf) - Łukasz Pilorz, Marek Zmysłowski, Hack In The Box, Amsterdam 2014 * https://leucosite.com 博客作者 [@Qab](https://twitter.com/Qab) * [BrokenBrowser]() 博客: * https://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/ * https://www.brokenbrowser.com/sop-bypass-uxss-tweeting-like-charles-darwin/ * https://www.brokenbrowser.com/sop-bypass-abusing-read-protocol/ * https://www.brokenbrowser.com/microsoft-edge-detecting-installed-extensions/ * https://www.brokenbrowser.com/free-ticket-to-the-intranet-zone/ * https://www.brokenbrowser.com/uxss-ie-domainless-world/ * https://www.brokenbrowser.com/bypass-the-patch-to-keep-spoofing-the-address-bar-with-the-malware-warning/ * https://www.brokenbrowser.com/zombie-alert/ * https://www.brokenbrowser.com/uxss-ie-htmlfile/ * https://www.brokenbrowser.com/uxss-edge-domainless-world/ * https://www.brokenbrowser.com/abusing-of-protocols/ * https://www.brokenbrowser.com/loading-insecure-content-in-secure-pages/ * https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/ * https://www.brokenbrowser.com/workers-sop-bypass-importscripts-and-basehref/ * https://www.brokenbrowser.com/detecting-apps-mimetype-malware/ * https://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/ * https://www.brokenbrowser.com/css-history-leak/ * https://www.brokenbrowser.com/grabdatafrominput/ ## 白皮书 * [X41: Browser Security White Paper](https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf) + [网站](https://www.x41-dsec.de/security/report/whitepaper/2017/09/18/whitepaper-x41-browser-security/) + [仓库](https://github.com/x41sec/browser-security-whitepaper-2017) * [The Definitive Guide to Same-origin Policy](https://www.netsparker.com/whitepaper-same-origin-policy/) * [On the Security of the SOP-DOM Using HTML and JavaScript Code](http://your-sop.com/more-stuff/subsequent-work/On_the_Security_of_the_SOP-DOM_Using_HTML_and_JavaScript_Code.pdf) * [Same-Origin Policy: Evaluation in Modern Browsers](https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-schwenk.pdf) + [幻灯片](https://www.usenix.org/sites/default/files/conference/protected-files/usenixsecurity17_slides_marcus_niemietz.pdf) + [演讲](https://youtu.be/-dz_V0fqUnw) + [your-sop.com](http://your-sop.com) * [Google Browser Security Handbook](https://ru.scribd.com/document/135631086/Google-Browser-Security-Handbook) * [A Security Study of Chrome’s Process-based Sandboxing](http://www.comp.nus.edu.sg/~tsunami/papers/ChromeDOP.pdf) * [A Systematic Approach to Uncover Security Flaws in GUI Logic](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/GUILogicSecurity.pdf) * [JSON hijacking](https://www.owasp.org/images/6/6a/OWASPLondon20161124_JSON_Hijacking_Gareth_Heyes.pdf) * [Bypassing the Same Origin Policy - The Browser Hacker’s Handbook (2014)](http://apprize.info/security/browser/5.html) ## 浏览器黑客指南与设计文档 ### Firefox * [7 Tips for Fuzzing Firefox More Effectively](https://blog.mozilla.org/security/2012/06/20/7-tips-for-fuzzing-firefox-more-effectively/) ### Tor * [The Tor Browser Hacking Guide](https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking) * [The Design and Implementation of the Tor Browser [DRAFT]](https://www.torproject.org/projects/torbrowser/design/) ### Brave * [Brave 浏览器仓库](https://github.com/brave/browser-laptop) * [组件结构](https://github.com/brave/browser-laptop/blob/master/docs/componentStructure.md) * [目录结构](https://github.com/brave/browser-laptop/blob/master/docs/directoryStructure.md) * [状态](https://github.com/brave/browser-laptop/blob/master/docs/state.md) - 类似于 Redux 状态概念，但只是一个 ImmutableJS 对象 * [如何处理崩溃](https://github.com/brave/browser-laptop/wiki/Crashes) ### Chromium * [Chromium 如何显示网页](https://www.chromium.org/developers/design-documents/displaying-a-web-page-in-chrome) * [Chromium: 多进程架构](https://www.chromium.org/developers/design-documents/multi-process-architecture) * [站点隔离设计文档](https://www.chromium.org/developers/design-documents/site-isolation) * [Chrome 中的线程和任务](https://chromium.googlesource.com/chromium/src/+/master/docs/threading_and_tasks.md) * [重要的抽象和数据结构](https://www.chromium.org/developers/coding-style/important-abstractions-and-data-structures) ### Webkit * [核心 WebKit 类](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/DisplayWebContent/Concepts/WebKitDesign.html) * [developer.apple.com 上的 Webkit 文档](https://developer.apple.com/documentation/webkit) ### Electron * [Modern Alchemy: Turning XSS into RCE](https://blog.doyensec.com/2017/08/03/electron-framework-security.html) * [Electron 安全检查清单 ](https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf) ## 规范 * [W3C Suborigins [DRAFT]](https://w3c.github.io/webappsec-suborigins/) * [W3C Service Workers Nightly](https://w3c.github.io/ServiceWorker/) * [ECMA 262](https://www.ecma-international.org/publications/files/ECMA-ST/Ecma-262.pdf) ## 赏金计划 * [Zerodium](https://zerodium.com/program.html) * [Tor](https://hackerone.com/torproject) * [Chrome](https://www.google.com/about/appsecurity/chrome-rewards/) * [Brave](https://hackerone.com/brave) * [SSD](https://www.beyondsecurity.com/ssd.html) * [MS Edge](https://technet.microsoft.com/en-us/mt761990.aspx) ## 杂项 * [NodeFuzz](https://code.google.com/archive/p/ouspg/wikis/NodeFuzz.wiki) - Web 浏览器模糊测试工具 * [brave/Muon](https://github.com/brave/muon) - 使用 HTML、CSS 和 JavaScript 构建浏览器及类浏览器应用（Brave 漏洞赏金计划的一部分） * https://ios.browsr-tests.com - iOS 中的 SOP 绕过列表 * https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite - SOP 绕过列表 * [ref_fuzz](https://lcamtuf.blogspot.com/2010/06/announcing-reffuzz-2yo-fuzzer.html) 模糊测试工具 - [源代码](http://lcamtuf.coredump.cx/ref_fuzz5.html) * [javascript - Ways to circumvent the same-origin policy - Stack Overflow](https://stackoverflow.com/questions/3076414/ways-to-circumvent-the-same-origin-policy) - document.domain、window.postMessage、CORS、反向代理 (+ jsonp) * 关于 Cookie 安全的幻灯片 - [Cookie same origin policy](https://crypto.stanford.edu/cs142/lectures/10-cookie-security.pdf) * [PortSwigger/hackability](https://github.com/PortSwigger/hackability) - 浏览器安全的“开发者工具”。（对较冷门的浏览器很有用） ## 脚本 ``` # Export `js-vuln-db` repo CVEs to html bash ./scripts/js-vuln-db-to-format.sh html # Export `js-vuln-db` repo CVEs to js bash ./scripts/js-vuln-db-to-format.sh js ``` ## 作者 Vladimir Metnew ## 许可证 MIT ## 待办事项 * 添加以下 Bug： * [Pwn2Own: content: scheme allows cross-origin info leaks](https://bugs.chromium.org/p/chromium/issues/detail?id=659489) * [Use-after free in leveldb](https://bugs.chromium.org/p/chromium/issues/detail?id=88944) * [Security: UaF in MidiHost round 2 (JS -> Browser code execution)](https://bugs.chromium.org/p/chromium/issues/detail?id=576383) * https://bugs.chromium.org/p/chromium/issues/detail?id=419383 * https://github.com/mpgn/ByP-SOP * http://unsafe.cracking.com.ar/demos/edgedatametadata/bing.html * https://bugs.chromium.org/p/chromium/issues/detail?id=666246 * http://www.cracking.com.ar/demos/workerleak/ * http://www.cracking.com.ar/demos/xmldom/ * http://unsafe.cracking.com.ar/demos/sandboxedge/ * https://www.cracking.com.ar/demos/sop-ax-htmlfile/injectiframexdom.html * [438085 - Security: SOP bypass via DNS-Rebind (including PoC) - chromium - Monorail](https://bugs.chromium.org/p/chromium/issues/detail?id=438085) * [demonic_browsers.pdf](https://research.aurainfosec.io/assets/demonic_browsers.pdf) * [JSON hijacking for the modern web | Blog](https://portswigger.net/blog/json-hijacking-for-the-modern-web) * [Pwnfest 2016 meta bug](https://bugs.chromium.org/p/chromium/issues/detail?id=664551) * https://bugs.chromium.org/p/chromium/issues/detail?id=682020 * https://blog.jeremiahgrossman.com/2006/08/i-know-where-youve-been.html - 那个 Web 1.0 时代的东西

标签：0day, Brave, Chromium, CISA项目, CORS, CVE, Edge, Electron, Firefox, Go语言工具, IE, SOP, Tor, UXSS, Webkit, Web安全, Windows内核, XSS, 同源策略, 后端开发, 安全工程师, 安全资源库, 应用安全, 数字签名, 数据展示, 漏洞情报, 白帽子, 红队, 网络安全, 蓝队分析, 跨站脚本攻击, 防御加固, 隐私保护