Manually mining XSS vulnerabilities

Xss Injection idea ：

1、 Find the input point on the target site , For example, query interface , Message board, etc ;

2、 Enter a set of “ Special characters + Unique identification character ” Click Submit , View the returned source code , Whether corresponding processing has been done ;

3、 Locate unique characters by searching , Combine the syntax before and after the unique character to confirm whether it can construct and execute js Conditions （ The structure is closed ）;

4、 Submit the constructed script code ( And various bypass positions ), See if you can successfully execute , If it is executed successfully, it indicates that XSS Loophole ;

TIPS( skill )：

1. General query interface 、 The user login 、 Search for 、 Order submission is prone to reflection XSS, Message board 、 Comment on 、 The user nickname 、 User information and other places where data can be submitted and stored and displayed by the server may have storage type, and storage type is easy to occur across stations XSS;

2. Because there may be filtering measures in the background , Tectonic script May be filtered out , And can't take effect , Or the environment limits the execution （ browser ）;

3. By changing different script, Try to bypass the background filtering mechanism ;

Depending on the output position , Attack methods are also different

1. The output is outside the label （ Outside angle brackets ）

step ：

One 、 Determine the output position

Two 、 Enter special characters （"'<>script alert onclick）, If the output is normal , If the output is normal , Normal labels can be constructed

Judge according to the filtered output , Filtered the angle brackets , But no single or double quotation marks , Can do pop-up output

View the source code ：

<script>alert(1)</script>

1. Output in tag

Two cases ：1、 Inside the quotation marks  2、 Outside the quotation marks

step ：

One 、 Determine the output position

Two 、 Enter special characters （"'<>script alert onclick）

View the source code

The input is in quotation marks , So try closing quotation marks to construct new attributes or tags

'οnclick='alert(1), Enter a statement to close quotation marks to view the source code

Click the page output position

The second case ： Cannot close quotation marks

Determine the output position

Enter special characters （"'<>script alert onclick）

View the source code

There are no single or double quotation marks entered , So we can construct javascript Code or in onload Position write alert

View the source code ：

Output outside quotation marks ： See if you can construct new attributes

Look at the source code and see that the entered value is outside the quotation marks , So you can construct new attributes to execute js Code

Enter special characters to see if they are filtered （"'<>script alert onclick）

View the source code

Not filtered , Construct properties

Click on

1. Output in JavaScript In the code <script> Output location </script>

Determine the output position

So close the quotation marks , And annotate the following quotation marks

First, determine whether special characters have been filtered

No filtering , So you can make a pop-up window ";alert('aa');//

Enter a value to view the source code to see if it can be closed

Try closing

The entered quotation marks and semicolons are filtered , Therefore, closing is not allowed , So we should use other methods to test

According to the code , Will output the content to the page or parse the tag , So we can construct img label

<img src=1 οnclick=alert(1)>

Click on the image

Outside the quotation marks , You can input js Code

Determine the output position

The entered value appears in script In the label , So this situation can be input directly js Code

XSS To guard against

XSS The power of depends mainly on JavaScript The extent to which it can be achieved ,XSS The reason for the formation of cross site scripts is that there is no strict filtering of input and output , Results in execution of... On the page JavaScript Wait for client code , So just filter sensitive characters , You can fix XSS Cross site loopholes .

Repair and prevention methods ：

• Three types of XSS Vulnerabilities can be fixed by filtering or coding .

• reflective XSS And storage XSS You can filter and encode the contents of user input and output at the server , Filter keywords , Key symbols are encoded , If all on event ,script Wait for keywords to filter , Will all <,>,”,’,= And other special symbols can be repaired by materializing coding or percentage coding .

• DOM type XSS If so, interact with the server , You can also refer to the above method for repair , If there is no interaction with the server , It can be used on the client JavaScript And other client scripting languages for coding and filtering .

• summary : Input for filtering , Output as escape （ code ）