foreword
This article mainly collects interview questions related to XSS vulnerabilities and keeps updating them. Of course, due to the blogger’s lack of time, the update may not be very timely, but believe me, he will come no matter how late it is!
Readers and friends are especially requested to pay attention to my blog, or pay attention to my WeChat public account: Xiaobai learns IT
interview questions
1. The principle of XSS vulnerability
The essence of xss is javascript code execution, so the principle is that the user enters malicious js code in controllable parameters, and then the code is executed successfully
2. How to verify the existence of xss vulnerabilities?
The first step is to find user-controllable parameters (input points)
. The second step is to test whether special symbols, single quotation marks, double quotation marks, angle brackets, etc. are filtered or processed. The third
step is to operate according to the test results of the second step, such as Filter the keywords of the event type, construct new script tags to form a new js environment, or bypass some other protections
我常用的测试方法
123456'"<>
3. What types of xss are there?
1. DOM type XSS
2. Reflective type XSS
3. Storage type XSS
DOM型XSS
The attacker passes parameters with malicious js code to the front-end page of the website, and the code will not be passed to the server and executed directly in the client's browser.
反射性型XSS
The attacker passes parameters with malicious js code to the website, passes through the server and returns to the client, and executes in the client's browser.
存储型XSS
The attacker passes the parameter with malicious js code to the website, and stores it in the database through the server. When any client accesses the data, the malicious js code will be executed in the browser of the client.
4. What harm can xss cause (what can it do)?
1. Steal user's COOKIE
2. Modify DOM
3. Insert advertisements (black pages, etc.)
4. Launch xss worm attack
5. Hijack user behavior to further infiltrate intranet
...
5. How to defend against XSS?
1. Encode all input values
2. Use whitelist filtering, such as mobile phone numbers can only be numbers starting with 11 digits
3. Use blacklist to filter various special characters (easy to be bypassed)
4. Set the httpOnly of Cookie to true
5. Use the CSP (Content Security Policy, Content Security Policy) proposed by w3c to define the domain name whitelist () so that third-party js cannot be loaded
6. What are some examples of XSS attacks?
1. In 2005, 19-year-old Samy Kamkar launched an XSS Worm attack on MySpace.com, and infected millions of users within a few hours.
2. In December 2007, Baidu Space was attacked by a worm, and users began to forward spam messages among themselves.
3. In 2011, Sina Weibo was attacked by xss (clicking on the link will automatically send a link out, and the attack gradually expands, which is a worm attack)
4. A reflective xss vulnerability was found in the QQ mailbox
7. How to test DOM type XSS?
Look for function points such as doucument.write, innerHTML assignment, outerHTML assignment, window.location operation, write javascript: post-content, eval, setTime, setInterval, etc. directly execute to find variables, and check whether the source of the variable is controllable and whether it has passed
思路
security filter.
8. What are some suggestions for fixing XSS vulnerabilities?
1. Perform input detection on the server side, filter special characters
2. Encode and escape the output content
3. Perform HTMLEncode in html, JavaScriptEncode in javascript, put variables that use javascriptEncode in quotation marks and escape special characters, The data part cannot escape the quotation marks and become part of the code. To be stricter, use hexadecimal encoding for all characters other than letters.
4. Set httponly to true
9. List some XSS methods to bypass security restrictions (bypass)
以下只做思路展示
1. The case of filtering script (only once)
<scrscriptipt>alert(1)</scscriptript>
<ScRipt>alert(1)</ScRipt>
2. Use events to bypass when the script tag cannot be constructed
<input value='123' onclick='alert()'>
hyperlink bypass
<a src=javascript:alert()>123</a>
There are many more, take the target drone another day to supplement the environmental description, it’s too late today, go to bed first!
at last
Welcome everyone to pay attention to my CSD or WeChat public account: Xiaobai learns IT
