搜索

[13348] 2018-10-26_通杀绝多数交易平台的TradingviewDomXSS漏洞分析

文档创建者:s7ckTeam
浏览次数:24
最后更新:2025-01-18
2018-10-26_通杀绝多数交易平台的TradingviewDomXSS漏洞分析 T r a d i n g v i e w   D o m   X S S A r r o w z z z z z z   F r e e B u f   2 0 1 8 - 1 0 - 2 6   X S S   0 d a y   . a s p x )   K   线 线   J S     T r a d i n g V i e w     X S S   0 d a y     C l o u d f l a r e   T r a d i n g v i e w   c h a r t i n g _ l i b r a r y c h a r t i n g _ l i b r a r y . m i n . j s   w i d g e t s t a t i c t v - c h a r t . 6 3 0 b 7 0 4 a 2 b 9 d 0 e a f 1 5 9 3 . h t m l ( t v - c h a r t . h t m l ) T r a d i n g V i e w t v - c h a r t . h t m l * h t m l  
d o m x s s s c r i p t ( d o m 使 j a v a s c r i p t ) d i s a b l e d F e a t u r e s   ; e n a b l e d F e a t u r e s   ; i n d i c a t o r s F i l e 3 h t m l j s ( j s p y t h o n ) 3 j s j s
s p i n . m i n . j s v e n d o r s . f d 8 6 0 4 c 0 9 a b e d 9 f 6 6 4 3 a . j s
2 j s x s s l i b r a r y . 1 9 c 9 9 e d 5 d 0 3 0 7 c 6 7 f 0 7 1 . j s i n d i c a t o r s F i l e ? , j s D   ?   $ . g e t S c r i p t ( u r l P a r a m s . i n d i c a t o r s F i l e ) . d o n e ( f u n c t i o n ( )
t e s t -   B o o l e a n   e x p r e s s i o n 1 -   t e s t     t r u e e x p r e s s i o n 2 -   t e s t     f a l s e 使 D t e s t e x p r e s s i o n 1 ( $ . g e t S c r i p t ( u r l P a r a m s . i n d i c a t o r s F i l e ) . d o n e ( f u n c t i o n ( ) ) : ( ) $ . g e t S c r i p t ( ) j s   H T T P   G E T     J a v a S c r i p t   $ j q u e r y p y t h o n t i m e s l e e p t i m e . s l e e p ( ) t e s t   ?   e x p r e s s i o n 1   :   e x p r e s s i o n 2
u r l P a r a m s . i n d i c a t o r s F i l e i n d i c a t o r s F i l e d o m u r l P a r a m s h t m l l o c a t i o n . h r e f ; (   U R L ) p l o c a t i o n . h r e f ; i n d e x O f ( ) p . i n d e x O f ( " # " ) ; s t r i n g O b j e c t . i n d e x O f ( s e a r c h v a l u e , f r o m i n d e x )
s e a r c h v a l u e - f r o m i n d e x -   0     s t r i n g O b j e c t . l e n g t h   -   1   - 1 i f # k p . s u b s t r i n g ( o   +   1 )   s u b s t r i n g ( ) s t a r t -   s t r i n g O b j e c t   s t o p   -   s t r i n g O b j e c t     1 s t r i n g O b j e c t . s u b s t r i n g ( s t a r t , s t o p )
#   / ( [ ^ & = ] + ) = ? ( [ ^ & ] * ) / g g
j [ d i s a b l e d F e a t u r e s = [ 3 2 1 ] , d i s a b l e d F e a t u r e s , [ 3 2 1 ] ] 2
n [ e ( j [ 1 ] ) ]   =   e ( j [ 2 ] ) n o b j e c t v a r   o b j   =   { } ;   / /   v a r   o b j = n e w   O b j e c t ( ) ; v a r   k e y   =   " n a m e " ; v a r   v a l u e   =   " " o b j [ k e y ]   =   v a l u e ;
回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理