Don't be "fished" by it accidentally! (XSS cross-site scripting attack)

1.XSS introduction

Cross-site scripting attacks, the full name is Cross Site Scripting, in order to be different from the front-end programming language CSS (Cascading Style Sheet, Cascading Style Sheet), so it is abbreviated as XSS. XSS is a client-based Web attack. Like SQL injection attacks, it ranks among the top three in OWASP and is extremely harmful.

XSS means that the attacker constructs a script (usually a JavaScript script) to inject into the Web page, and the victim is attacked by clicking on the link. After the attacker successfully uses the XSS code to attack, he can obtain various contents such as Web site management authority, database management authority, session and cookie.

XSS attack points generally appear in "user input" places such as comment boxes, blank boards, and search boxes in the web. The formation of XSS vulnerabilities is mainly due to the fact that the Web server does not perform security filtering on script files such as script.

2. XSS hazards

The harm of XSS depends entirely on the attacker's knowledge of scripting languages such as JavaScript. Take JavaScript as an example. We can use JavaScript to obtain user cookies, modify the content of the text, URL redirect and other functions. Then the pages with XSS vulnerabilities can steal user cookies, navigate to malicious websites, etc. Attack behavior. In general, XSS attacks can be used to implement web hanging, session hijacking, user hijacking, information interception, website phishing, XSS DDOS attacks, XSS worms, etc.

3.XSS classification

XSS attacks can be divided into three types: reflection type, storage type and DOM type.

Reflectd XSS (Reflectd XSS): Called non-persistent XSS, this attack method is often one-time. When a user accesses a URL request with XSS code, the server receives the data and processes it, and sends the data with XSS code to the browser. After the browser parses this malicious script with XSS code, it will Trigger XSS vulnerabilities.

Stored XSS (Stored XSS): Called persistent XSS, the attack script will be permanently stored in the database or file of the target server, which is highly concealed. Stored CSS attacks are often found in forums, blogs, and posts. During the process of posting, the attacker adds malicious scripts and normal information into the content of the post. As the posts are stored by the server, the malicious script is permanently stored in the server's back-end storage. When other users browse this post with a malicious script, the malicious script will be executed in the user's browser.

DOM XSS: It is a special type of reflective XSS, which is a loophole based on the type of DOM document object. There are many elements on the web site. When the page reaches the browser, the browser will create a top-level Document object for the web, and then generate each subdocument object, each page The element corresponds to a document object, and each document object contains attributes, methods, and events. You can edit the document object through the JS script and modify the elements on the page. In other words, the client script program can dynamically modify the page content through the DOM, obtain the data in the DOM from the client and execute it locally. Based on this feature, JavaScript scripts can be used to realize the use of XSS vulnerabilities.

4. XSS cross-site scripting penetration

The detection of XSS vulnerabilities is divided into manual detection and automatic detection. The manual detection results are accurate, but for a relatively large Web site, the manual detection is very complicated. Although automatic detection is convenient, there may be false positives or hidden XSS vulnerabilities that cannot be detected by the school.

4.1 Manual XSS

When using manual XSS to detect whether a Web site has XSS vulnerabilities, we need to consider where to enter the page and where the entered content will be displayed. When inputting, we have to select characters with special meanings, so that we can quickly test whether there are XSS vulnerabilities. Therefore, it is very necessary for us to understand the HTML tags, JavaScript methods and how to construct XSS scripts that are commonly used in manual XSS detection.

4.1.1 Commonly used HTML tags

Here we introduce three commonly used HTML tags:

testarea tag: Define multiple text input controls.
img tag: used to embed images in the text.
iframe tag: The iframe element creates an inline frame containing another document (that is, an inline frame). The iframe tag can embed other web pages in a single page.

4.1.2 Common JavaScript method

alert: Used to display an alert box with a specified message and an OK button.
windows.location: used to get the current page address and redirect the browser to the new page
location.href: return the href (URL) of the current page
onload: It will be sent immediately after the page or image has been loaded
onsubmit: sent when the confirmation button in the form is clicked
onerror: Triggered when an error occurs during document or image loading

4.1.3 Constructing XSS script

①Bounce warning

This script implements pop-up prompts and is generally used as a vulnerability test or demonstration. Once this script can be executed, it means that the back-end server does not filter special characters, so that it can be proved that there is an XSS vulnerability in this page location.

This script is used to get cookies and display them. It usually needs to be combined with other codes to allow the user to click and send the cookie to the server set up by the attacker.

②⻚⻚Nesting