XSS
1. Introduction to XSS
(1) Introduction to XSS
XSS is one of the OWASP TOP 10.
XSS Chinese is called Cross-site scripting (Cross-site scripting), the original name should be abbreviated as CSS, but because CSS (Cascading Style Sheets, cascading style script) has the same name, it was renamed XSS. XSS (cross-site scripting attack) is mainly based on javascript (js) to complete malicious attacks.
XSS is a computer vulnerability that often appears in web applications, and it is also the most mainstream attack method in the web. So what is XSS?
XSS refers to the fact that malicious attackers use the shortcomings of the website to escape or filter the data submitted by users, and then add some code and embed it into the web page. Make other users visit will execute the corresponding embedded code.
It is an attack method that steals user information, uses user identity to perform certain actions, or visitors carry out virus infringement.
(2) XSS principle
Use all kinds of black magic we know to insert js code into the web page, so that the js code can be executed by the browser, and the user who visits the page is attacked.
(3) Harm of XSS
For users,
stealing cookie hijacked sessions,
phishing
, mining with horses,
advertising brush traffic,
for web services,
hijacking background (common),
tampering with pages
, spreading worms,
intranet scanning (common)
(4) XSS types
Reflective:
reflective Also known as non-persistent, this type of script is the most common and widely used, and is mainly used to attach malicious scripts to parameters of URL addresses.
Storage type:
The attacker sends the constructed malicious page to the user, and the user receives the attack after visiting the seemingly normal page. This type of XSS usually cannot directly see the malicious code in the URL, and has strong persistence and concealment sex.
DOM
DOM type XSS does not need to interact with the backend, but based on JavaScript, JS parses malicious parameters in the URL to execute JS code
2. Detailed explanation of XSS classification
(1) Stored XSS
Stored XSS: Persistence, the code is stored in the web server, such as inserting code in personal information or publishing articles, if there is no filtering or the filtering is not strict, then these codes It will be stored in the server, and code execution will be triggered when the user visits the page. This kind of XSS is more dangerous, and it is easy to cause worms and steal cookies. Every user who visits a specific page will be attacked.
Features:
XSS attack codes are stored on the web server;
attackers generally store attack codes on the web server through functions such as messages, comments, blogs, and logs on the website (all places where content can be input to the web server)
. XSS attack process:
DVWA shooting range building tutorial
http://www.cnblogs.com/heiwa-0924/p/12443427.html
Stored XSS-DVWA
https://blog.csdn.net/weixin_40950781/article/details/100007103
payload:
low:
High:<img src=1 οnerrοr=alert(1)>
(2) Reflective XSS
Reflective cross-site scripting is also called non-persistent, parametric cross-site scripting. This type of script is the most common and widely used. It is mainly used to attach malicious scripts to parameters of the URL address.
Eg.
http://www.test.com/search.php?key="><script>alert("xss")</script>
1
generally used to send the constructed URL to the victim, which is the victim Triggered on click, and only executed once, non-persistent.
Reflected XSS attack process:
Reflected XSS-DVWA:
Payload:
Low:<script>alert(1)</script>
Mid:<SCRIPT>alert(1)</SCRIPT>
High:<img src=1 onerrοr=alert(1)>
1
2
3
4
(3) Introduction to JS
JavaScript, a literal scripting language, is a dynamically typed, weakly typed, prototype-based language with built-in support for types. Its interpreter is called the JavaScript engine, which is part of the browser and is widely used as a client-side scripting language. It was first used on HTML (an application under the standard general markup language) webpage to add dynamic functions to HTML webpages. .
In 1995, Brendan Eich of Netscape was first designed and implemented on the Netscape Navigator browser. Because Netscape cooperated with Sun, Netscape management wanted it to look like Java, so it was named JavaScript. But in fact its grammatical style is closer to Self and Scheme.
In order to obtain technical advantages, Microsoft launched JScript, and CEnvi launched ScriptEase, which can also run on browsers like JavaScript. In order to unify the specification, because JavaScript is compatible with the ECMA standard, it is also called ECMAScript.
Learning JS: https://www.w3school.com.cn/js/index.asp
3. XSS discovery and protection
(1) Five defense methods of XSS
XSS defense of HTML node content
Escaping << and >> means escaping <>. There are two ways to escape, one is to escape when writing to the database, and the other is to escape when parsing
Here is escaped when displaying
var escapeHtml = function(str){ str = str.replace(/>/g,'<'); str = str.replace(/>/g,'>'); return str; } escapeHtml(content) ; 1 2 3 4 5 6 XSS defense escape of HTML attributes " &quto; is to escape double quotes, ' to escape single quotes, (Another thing to note is that actually HTML attributes can not include quotes, so strictly It is said that we also need to escape the spaces, but this will cause the wrong number of spaces when rendering, so we do not escape the spaces, and then write all the html attributes with quotation marks) so that the attributes will not be closed in advance
var escapeHtmlProperty = function(str){
str = str.replace(/"/g,'&quto;');
str = str.replace(/'/g,''');
str = str.replace(/ /g,' ');
return str;
}
escapeHtmlProperty(content);
1
2
3
4
5
6
7
8
In fact, the above two functions can be combined into one function, so that both content and properties can be filtered by one function.
HTML escape function
var escapeHtmlProperty = function(str){ if(!str) return ''; str = str.replace(/&/g,'&'); str = str.replace(/>/g,' <'); str = str.replace(/>/g,'>'); str = str.replace(/"/g,'&quto;'); str = str.replace(/'/g, '''); return str; } escapeHtml(content); 1 2 3 4 5 6 7 8 9 10 js escape Escape "\" or replace it with json
var escapeForJs = function(str){ if(!str) return ''; str = str.replace(/\\/g,'\\\\'); str = str.replace(/"/g,'\ \"'); } 1 2 3 4 5 Rich text is not easy to filter because it requires complete HTML. Generally, some tags and attributes are reserved according to the white list for filtering. Except for allowed tags and attributes, all others are not allowed. Allowed (there is also a blacklist method, but because the html complex effect is relatively poor, the principle is the previous regular replacement)
In fact, the XSS component that can be written by others is called xss, directly
npm install xss
1
whitelist - use third-party library XSS, support specified whitelist
var xssFilter = function(html){
if(!html) return '';
var xss = require('xss');
var ret = xss(html,{
whileList:{
img:['src'],
a:['href'],
font:['size','color']
},
onIgnoreTag: function(){
return '';
}
});
console.log(html,ret);
return ret;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(2) XSS worm attacks
The destructive power and influence of XSS worms are huge. XSS worms mainly occur on pages where there is interaction between users. When the web application does not strictly filter the data information entered by the user, by combining the asynchronous submission of Ajax, it can be implemented while implanting malicious code. Sending the malicious code externally realizes the infection and propagation of the code, and forms an XSS worm.
(3) Digging for XSS vulnerabilities
Scanning tools for automatic detection
AWVS
AppScan
JSKy
manual testing
Source code analysis
(4) Prevention of XSS vulnerabilities
XSS cross-site scripting attack vulnerability prevention
Client user
IE8 and advanced version, enable XSS filter function,
Firefox uses extended functions such as CSP, Noscript, etc.
Rising Personal Firewall 2012 version enables XSS interception function
Web application programmers
use HttpOnly
perfect input and output inspection
HttpOnly
HttpOnly was originally proposed by Microsoft, and has been adopted by many popular browser vendors. The role of HttpOnly is not to filter XSS cross-site scripting attacks, but the browser will prohibit Javascript on the page from accessing cookies with the HttpOnly attribute, so as to solve the cookie session hijacking behavior after XSS cross-site scripting attacks.
Input and output checks
Because the causes of the vulnerabilities of the three types of XSS cross-site scripting attacks are different, part of the checks for input and output are applicable to reflective XSS and stored XSS, while others are applicable to DOM-based XSS most of the time
. It is a check of credible characters or input data format. For example, only letters, numbers, underscores, and Chinese characters are allowed in the registered account information entered by the user. All characters that are not in the white list are considered to be illegal input. . Data formats such as IP addresses, phone numbers, email addresses, dates, and other data have certain format specifications, and only input information that conforms to the data specifications is allowed to pass the inspection.
The output inspection is mainly for the data display process. The data information should be processed by HTML encoding, and malicious characters that may cause XSS cross-site scripting attacks should be encoded, and the malicious characters can be filtered without affecting the normal data display.
Common characters and their HTML codes that may cause XSS cross-site scripting attacks such as:
" --- "
' --- '
& --- &
< --- &It;
> --- >
In addition to commonly used encodings, any character can be HTML-encoded using its ASCII code, such as:
% --- %
* --- *
1
2
3
4
5
6
7
8
9
10
DOM Based XSS input and output inspection
- specificity
- when a DOM based XSS cross-site scripting attack occurs, malicious data The format of the data is different from the traditional XSS cross-site scripting attack data format. It can even directly attack the client without processing and responding from the server.
- Input inspection
- the filtering effect of deploying the corresponding security detection code on the client side is more obvious than that on the server side.
- Client-side detection code to ensure that the data entered by the user contains only letters, numbers and spaces.
- The server implements the above-mentioned data inspection functions
- URL parameter name and number inspection
- Parameter value type and content inspection
- Output inspection
- Before inserting user-controllable DOM data content into the document, the web application should include the submitted data All kinds of dangerous characters and expressions that may exist are filtered and inserted in a safe way
—————————————————
Copyright statement: This article is the original work of CSDN blogger "Security Old A" The article follows the CC 4.0 BY-SA copyright agreement, please attach the original source link and this statement for reprinting.
Original link: https://blog.csdn.net/qq_44857938/article/details/118034947