I really hope that one day, be able diary brewing for a whole summer of love, then you write love letters placed, will those who have lied, insincere, beat around the bush a little affection, both Tan sway tell you to listen ah. . .
A, Xss loophole reasons
because the code is not strict filtration, resulting in output problems js code to be executed
Two, xss vulnerability harm
Phishing, stealing all types of accounts
Steal cookie
Steal the user's browser requests
Shells advertising, brush flow
Pages linked to horse
Elevate user rights
The spread of cross-site scripting worms, etc.
Second, the reflective XSS
1, the normal input content is displayed hello 123
http://192.168.1.100/dvwa/vulnerabilities/xss_r/?name=123
2, will enter the pop js code ,,
http://192.168.1.100/dvwa/vulnerabilities/xss_r/?name=
Third, the storage-type XSS
1, enter the normal content, this will display
2, enter ,, pop js code, we will not display the contents of the input, but this code is there, we can see the source file, this time from any computer to access the address will pop up this pop
http://192.168.1.100/dvwa/vulnerabilities/xss_s/
Fourth, manual excavation xss vulnerability
Users can test the local input, local file upload, flash, the message Department.
The label is sometimes necessary to close
five mining tools xss vulnerability
OWASP Xenotix XSS
1, the service set
2, select the mode get
3, there may be a page address input xss, click the fuzz
six to bypass restrictions
1, bypassing magic_quotes _gpc (Firefox extension can be automatically converted)
magic_quotes_ gpc = ON in php security setting is, after opening will rotate some special characters, such as the apostrophe ( ') to ('), double quote ( ") to ("), () is converted to (\ )
For example: <script> alert ( "xss"); converted to, so our
Xss not come into force
For the open magic_quotes_gpc site, we can be bypassed by String.fromCharCode method in javascript, we can alert ( "xss") is converted to
String.fromCharCode (97,108,101,114,116,40,34,88,83,83,34,41) then our XSS statement becomes
< script> String.fromCharCode(97,108,101,114,116,40,34,88,83,83,34,41,59)
String. FromCharCode () is a string of javascript method for converting ASCII string.
2, HEX coding
We can be hex encoded in our statement to bypass the rules XSs
For example: it can be converted to
% 3c% 73% 63% 72% 69% 70% 74% 3e% 61% 6c% 65% 72% 74% 28% 22% 78% 7
3% 73% 22% 29% 3b% 3c% 2f% 73% 63% 72% 69% 70% 74% 3e
3. Change Case
During the test, we can change the test case statement to bypass the XS
For example: it can be converted to
4, whitespace
<scri%00pt>alert(2)</sc%00ript>
Prohibit illegal, at your peril
Welcome to public concern number: web security tool library