当前位置：网站首页>XSS (cross site script attack) summary (II)

XSS (cross site script attack) summary (II)

2022-06-25 04:53:00 【Key_ Words】

The first part :XSS Common pop-up test statements

1. <script>alert('xss')</script> Bullet frame event

2. οnclick="alert('xss') Click the pop-up event

3. <a href='javascript:alert('xss')'>1</a> Click the pop-up link

Be careful : Pay attention to single quotation marks when using Double quotes Flexible use of brackets, etc

The second part :XSS Basic explanation

Cross site scripting attack refers to a malicious attacker going to Web Malicious insert in the page Script Code , When users browse the page , Embedded in Web Inside Script Code will be executed , So as to achieve the purpose of malicious attacks on users .
xss Vulnerabilities are usually through php The output function of will javascript Output the code to html On the page , Executed through the user's local browser , therefore xss The key to the vulnerability is Find the output function with unfiltered parameters .

The third part :XSS classification

reflective XSS：< non-persistent > The attacker made the attack link in advance , You need to cheat the user to click the link to trigger XSS Code （ There is no such page and content in the server ）, Generally easy to appear in the search page .

Storage type XSS：< Persistence > The code is stored in the server , Such as in personal information or published articles, etc , Add code , If there is no filtration or filtration is not strict , Then the code will be stored in the server , Code execution is triggered whenever a user visits the page , such XSS Very dangerous , Easy to cause worms , Mass theft cookie（ Although there is a kind of DOM type XSS, But it's also included in storage XSS Inside ）.

DOM type XSS： Based on the document object model Document Objeet Model,DOM) A loophole in .DOM It's a platform with 、 Programming language independent interfaces , It allows programs or scripts to dynamically access and update document content 、 Structure and pattern , The processed results can become part of the displayed page .DOM There are a lot of objects in , Some of them are user controlled , Such as uRI ,location,refelTer etc. . The script program of the client can use DOM Dynamically check and modify page content , It doesn't rely on submitting data to the server , And get it from the client DOM Data in is executed locally , If DOM The data in is not strictly validated , It will produce DOM XSS Loophole .

The fourth part :XSS Bypass ( Code and WAF) Method

One . Bypass code

1. Case around <Script>alert('xss')</sCript>

2. Overlay code bypasses oonnclick="alert('xss')

3. Code bypass javascript:alert('xss') adopt ASCLL turn Unicode Get back %6A%61.........%29

4. Coding plus http Bypass javascript:alert('xss') As above, add..., after the code //http://www. Address .com// Go around

5. Use functions to bypass If there is t_sort And so on , be &t_sortty:pe="text" οnclick="alert('xss')

6. Packet add referer Bypass Add by capturing packets referer Request header implementation ,referer:type="text" οnclick="alert('xss')

Two . Bypass WAF

1. Label syntax replacement

2. Special symbol interference

3. Change of submission method

4. Garbage data overflow

5. Encryption and decryption algorithm

6. Combined with other loopholes

3、 ... and . Automation tools

1.XSStrike Tools

2. Multithreaded crawlers

3.Context analysis

The fifth part :XSS Defense methods

5.1 reflective xss Loophole prevention

php in xss Summary of vulnerability prevention methods for ：< Reference from Segmentfault>

A.PHP Direct output html Of , You can use the following methods to filter ：

    1.htmlspecialchars function 
    2.htmlentities function 
    3.HTMLPurifier.auto.php plug-in unit 
    4.RemoveXss function 

B.PHP Output to JS In the code , Or development Json API Of , The front end needs to be in JS To filter ：

    1. Use as much as possible innerText(IE) and textContent(Firefox), That is to say jQuery Of text() To output text content 
    2. It must be used. innerHTML Wait for the function , You need to do something similar php Of htmlspecialchars The filter 

C. Other general complementary defense means 

    1. At output html when , add Content Security Policy Of Http Header
    （ effect ： It can prevent the page from being XSS When the attack , Embed third-party script files, etc ）
    （ defects ：IE Or earlier browsers may not support ）
    2. Set up Cookie when , add HttpOnly Parameters 
    （ effect ： It can prevent the page from being XSS When the attack ,Cookie Information is stolen , Compatible to IE6）
    （ defects ： The website itself JS Code can't operate Cookie, And the effect is limited , Only guarantee Cookie The safety of the ）
    3. Developing API when , Inspection request Referer Parameters 
    （ effect ： Can prevent... To some extent CSRF attack ）
    （ defects ：IE Or an earlier version of the browser ,Referer Parameters can be forged ）

Here we choose htmlentities() Function to test ：

htmlentities() Function to convert a character to HTML Entity .

newly build Xss_htmlentities.php, The code is as follows ：

<html>
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>XSS</title> 
</head> 
<body> 
<form action="" method="get"> 
<input type="text" name="input">     
<input type="submit"> 
</form> 
<br> 
<?php 
$XssReflex = $_GET['input'];
echo 'output:<br>'.htmlentities($XssReflex);# Only here for variables  $XssReflex  Processed .
?> 
</body> 
</html>

stay Firefox Input url：localhost/codoaudit/xss/Xsshtmlentities.php :

When we type in <script>alert('xss')</script> ：

You can see that there is no pop-up window on page .
Let's look at the web page html Code ：

You can see htmlentities() Function on user input <> Escaped , Of course, malicious code cannot be executed .
There are other filter functions , It's easy to learn from paper , Interested students can try it by themselves

5.2 Storage type xss Loophole prevention

Storage type XSS The way to filter the user's input and the reflection type XSS identical , Here we use htmlspecialchars() Function to demonstrate ：

htmlentities() : Put the predefined characters "<" （ Less than ） and ">" （ Greater than ） Convert to HTML Entity

htmlspecialchars and htmlentities The difference between ：

htmlspecialchars Escape only & 、" 、' 、< 、> These are a few html Code , and htmlentities But will transform all html Code , Together with the Chinese characters it cannot recognize, they will also be converted .

newly build Xss_htmlspecialchars_Storage.php , The code is as follows :

    <span style="font-size:18px;"><meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>  
    <html>  
    <head>  
    <title>XssStorage</title>  
    </head>  
    <body>  
    <h2>Message Board<h2>  
    <br>
    <form action="Xss_htmlspecialchars_Storage.php" method="post">  
    Message:<textarea id='Mid' name="desc"></textarea>  
    <br>  
    <br>  
    Subuser:<input type="text" name="user"/><br> 
    <br>
    <input type="submit" value="submit" onclick='loction="XssStorage.php"'/>  
    </form>  
    <?php  
    if(isset($_POST['user'])&&isset($_POST['desc'])){  
    $log=fopen("sqlStorage.txt","a");  
    fwrite($log,htmlspecialchars($_POST['user'])."\r\n"); #  Enter data here for the user $_POST['user'] To filter 
    fwrite($log,htmlspecialchars($_POST['desc'])."\r\n"); #  Enter data here for the user $_POST['desc'] To filter 
    fclose($log);  
    }  
      
    if(file_exists("sqlStorage.txt"))  
    {  
    $read= fopen("sqlStorage.txt",'r');  
    while(!feof($read))  
    {  
        echo fgets($read)."</br>";  
    }  
    fclose($read);  
    }  
    ?>  
    </body>  
    </html></span>

stay Firefox Input url：localhost/codoaudit/xss/Xss_htmlspecialchars_Storage.php :