XSS , namely (Cross Site Scripting) cross-site scripting attacks
XSS Vulnerability Type:
reflective (non-persistent): mainly used for malicious code to the URL parameter, the client used to steal cookie information and phishing.
Storage type (Durable): the attacker malicious code into the Web server and saved, as long as the client access to the corresponding page will be attacked.
DOM type: DOM features using a browser, the browser not to perform but by requesting to modify or steal information local to directly locally.
Now we begin to XSS reflection exercises
Low
Source:
array_key_exists () function checks whether the specified key exists in the name of an array, returns true if the key name exists, if the key does not exist returns false. Here key named name
You can see, low-level code just to determine whether the name parameter is empty, if not empty, then print it out directly, and did not do any filtering and inspection of the name parameter, there is a very obvious XSS vulnerability
We enter the <script> alert ( 'hack') </ script> directly performed our js code
Medium
Source:
Here, str_replace () function only the "<script>" to do a filter, (str_replace () function is not perfect, because it is case-sensitive)
But the double write, capital can still write,
We can directly bypass the capital
We enter the <SCRIPT> alert ( 'hack') </ SCRIPT>, we performed directly js code
Now double the bypass
Filtering code:
= str_replace name $ ( '<Script>', '', $ _GET [ 'name']), <Script> filtered intercepted ;
1, the What's your name input box,:? <Script> alert (123) </ script>
Once submitted, the browser does not pop pop we expected, display alert content, on the contrary, directly to the "alert (123)" as the name shows up, indicating str_replace () function here to take effect:
2, try following the attack, name in the input box What's your input?:
<Sc <script> ript> alert ( "If you can see, indicating a successful attack") </ script>
Principle: Here, str_replace () function only the "<script>" to do a filter,
High
Source:
Can be seen, the use of a High-level code directly to the regular expression <* s * c * r * i * p * t to the filter, and * represents one or more of any character, case-insensitive I representatives. Therefore, our <script> tag can not be used here.
But we can inject malicious code via js src img, body and other events or iframe tags and other labels .
Impossible
Source:
htmlspecialchars (string): the predefined character "<" (less than), ">" (greater than), &, '', '' is converted to HTML entities, which prevents the browser as an HTML element
If as we enter the <script> alert ( 'hack') </ script>, because htmlspecialchars function will convert into html entity and taken $ {name} is a value <and> $ name, and then enclosed in <pre> </ pre> tag is printed out, so we insert statements will not be executed.
As can be seen, impossible-level code to determine whether the name is empty, not empty words and then verify that token, to guard against CSRF attacks. Then use htmlspecialchars function to convert the name of the predefined characters into html entities, thus preventing us fill in the label