Actual Preliminary Statement
The procedures (methods) involved in the article may be offensive and are only for security research and learning purposes. If readers use the information for other purposes, the user shall bear all legal and joint liability. The author of the article does not assume any legal and joint liability.
1. Briefly understand the basics of HTML and JS
If you want to know how to perform XSS attacks, you need to understand some basic knowledge points of HTML and JS, otherwise some script injections will not be clear. The full name of HTML is HyperText Markup Language. HTML documents can also be called web pages. The main function is to realize page jumps and display data.
1.1, HTML structure standard
<!doctype html> //Declare the document type, which will be parsed by the rendering engine <html> //Root tag <head> //head tag <title></title> //Title tag, located at the top of the page to define the title in the browser toolbar </head> <body> // Body tag, for users and viewers to see <!-- Write comments here --> </body> </html>
Description of hierarchical relationships
<head> </head> and <body> </body> are in a parallel relationship <head> </head> and <title> </title> are nested relationships
1.2, HTML tag
HTML tags are the most basic unit and the most important component of the HTML language. Tag case is irrelevant, but lowercase is recommended. Tags can be divided into single tags (such as
).
Common single tags:
<br/> // Line break <hr/> //Horizontal dividing line <img /> //Image tag <input /> //Input tag <meta /> //Metadata of HTML document, machine-readable, such as <meta charset=UTF-8”/
Common double labels:
<html></html> <head></head> <title></title> <body></body> <h1></h1> //Title <p></p> //Paragraph tag <div></div> //Block tag, control content style and achieve layout effect <a></a> // <a href="https://www.baidu.com">Baidu</a> <ul></ul> //List tag <form></form> //Form tag, used to create HTML forms for user input and transmit data to the server <select></select> //Option tag
1.3, JS (JavaScript)
JavaScript is a literal scripting language, a dynamically typed, weakly typed, prototype-based language with built-in support for types. It can dynamically put text into HTML pages, read and write HTML elements, respond to events, can be used to verify data entered by users, and can also create cookies to store information on visitors’ computers, etc.
Baidu encyclopedia definition
JavaScript (“JS” for short) is a lightweight, interpreted or just-in-time compiled programming language with function priority. Although it is famous as a scripting language for developing Web pages, it is also used in many non-browser environments. JavaScript is based on prototype programming, a multi-paradigm dynamic scripting language, and supports object-oriented, imperative, declarative, and functional programming paradigm.
There are two ways to use it
//Written in html form <script> JavaScript content (123, 'xss')</script> //Form of reference file <script type="text/javascript" src="path to js file" />
Examples of some commonly used functions
<script>alert(1)</script> <svg onload=alert(1)> <img src=1 onerror=alert(1)> <M onmouseover=alert(1)>M <marquee onscroll=alert(1)> <a href=javascript:alert(1)>M</a> <body onload=alert(1)> <details open ontoggle=alert(1)> <embed src=javascript:alert(1)
For more comprehensive learning, you can learn from the novice tutorial. I personally recommend that non-professional front-end developers can quickly understand and learn.
2. Introduction to XSS
The full name of XSS is Cross Site Script, which is a cross-site scripting attack. Because the abbreviation CSS has the same name as the css style of html, it is abbreviated as XSS. It is a computer security vulnerability in web applications where malicious web visitors implant scripts into pages provided to users. Dangerous code is generally written in JavaScript. When a user uses a browser to access a page, the script will be executed to achieve the attacker’s purpose. The essence is that the malicious code is unfiltered and mixed with the normal code of the website. The browser cannot tell which scripts are trustworthy, causing the malicious script to be executed.
2.1, XSS attack process
Generally contains 5 nodes:
1. The attacker searches the target website or web application and tries to find vulnerability points where malicious scripts can be inserted.
2. Once attackers find potential vulnerability points, they insert prepared malicious scripts into these places.
3. Users access pages containing malicious scripts, or interact with data containing malicious scripts.
4. The user’s browser receives the malicious script and executes it.
5. Malicious scripts can perform a variety of operations, including stealing users’ session tokens, cookies, entered sensitive information, or redirecting users to other malicious websites.
(Pictures come from the Internet)
3. Classification and utilization of XSS vulnerabilities
XSS vulnerabilities can be divided into three categories: reflection type (non-persistent type), storage type (persistent type) and DOM type.
3.1. Reflective type (non-sustained type)
Full name: Reflected Cross-site Scripting, also known as non-persistent, parameter-based cross-site scripting, is mainly used to append malicious scripts to URL address parameters. Vulnerability characteristics: one-time, front-end execution, not stored in the back-end database. Hazard level: medium.
Reflected XSS attack steps:
- The attacker constructs a URL containing malicious code.
- When the user visits, the malicious code will be spliced into HTML and returned to the browser.
- After the user’s browser receives the response, it parses and executes it, and the malicious code mixed in it is also executed.
- Steal user data and send it to the attacker’s website, or impersonate the user’s behavior to perform actions specified by the attacker.
3.2. Storage type (persistent type)
Full name: Stored Cross-site Scripting. The attacker uploads or stores malicious JS code to the vulnerable server in advance. When the user browses a page containing malicious JS code, the malicious code will be executed. Cross-site scripting can be executed without the user clicking a specific URL. . Vulnerability characteristics: persistence, front-end execution, storage in back-end database. Hazard level: high.
Stored XSS attack steps:
- The attacker submits malicious code into the target website’s database.
- When the user opens the target website, the website server takes out the malicious code from the database, splices it into HTML and returns it to the browser.
- After the user’s browser receives the response, it parses and executes it, and the malicious code mixed in it is also executed.
- Steal user data and send it to the attacker’s website, or impersonate the user’s behavior to perform actions specified by the attacker.
3.3, DOM type
DOM-based XSS occurs when an application operates the page DOM through JavaScript and does not properly filter or escape user input, allowing attackers to inject malicious scripts and thereby affect other users. Vulnerability characteristics: one-time, front-end execution, not stored in the back-end database, program execution does not rely on server-side data. Hazard level: medium.
Different from the first two types of XSS, the cause of the vulnerability has nothing to do with server parsing, but is caused by the JS code reading the URL content. dom-xss depends on the output location, not the output environment, so dom-xss may be reflection. type, or possibly storage type.
4. A small test at the shooting range (1)
Select Cross-Site Scripting from pikachu shooting range, and choose reflective xss(get) for the experiment. This article temporarily gives an example of an attack, and other types will be shared in another article.
First fill in and submit casually, look at the interface display data, right-click to view the page code data that is echoed, and then determine to build the POC submission verification based on the data structure.
Test verification content
'<>?" & amp;/6666
4.1, normal operation
Enter ‘<>?” &/6666, the interface will appear as follows:
4.2. View source code
Checking the source code, I found that the input content was filled in the p tag and was not encoded. Note: Text box length limit is 20
4.3. Determine attack POC
Since the text box length is limited to 20, there are very few attack pocs available.
<svg onload=alert(1)>
Verification successful
5. Data acquisition
For shooting range environment construction, please refer to “Shooting Range Environment Construction [XP, pikachu, dvwa, sqli-labs]”