Zhangxiaobai's road of penetration (IV) -- detailed explanation of XSS cross site script vulnerabilities

XSS brief introduction

XSS Also called CSS（Cross Site Script）, That is, cross site script attack . It means that the attacker embeds the client script in the web page , Usually JavaScript Malicious code written , When a user uses a browser to browse a web page embedded with malicious code , Malicious code will be executed on the user's browser .
It can be seen from the above ,XSS It belongs to client attack , The victim is the end user . It should be noted that , The webmaster is also one of the users , That means XSS It can be attacked “ Server side ”. Because administrators have much more permissions than ordinary users , General administrators can manage files on the website 、 Database management and other operations , The attacker may act as an administrator “ The springboard ” Attack .

XSS Principle analysis

XSS The attack is to embed malicious client script code in the web page （ Generally used JavaScript language-written ）.
It is worth mentioning
JavaScript Can be used to get the user's Cookie、 Change the content of the page 、URL Turn around , Then there is XSS Loopholes in the website , You can steal users Cookie, Black out page , Navigate to a malicious website , What the attacker has to do is to wEB Page injection JavaScript Code .
To put it simply
Where there is an input field to submit , Can be embedded script Code （ for example ：<script>alert(document.cookie)</script>） Conduct XSS attack .

XSS The type of

XSS It is mainly divided into three categories ： reflective 、 Storage and DOM type

reflective XSS

reflective XSS Also known as non persistence XSS, It's one of the easiest things to do now XSS Loophole .
principle
When a user accesses a with XSS Code URL When asked , The server accepts the requested data and then processes it . Then put the belt with XSS Code data sent to the browser , The browser parses this section with XSS Code data after , It eventually results in XSS Loophole . This process is like a reflection , So it's called reflex XSS
To put it simply
Is to enter... In the input box js Code , Click the submit button and the server will execute js Code .
Here is an example to illustrate
Experimental environment DVWA, reflective XSS

Input js Attack code
<script>alert(document.cookie)</script>

Click on the submit

Storage type XSS

Storage type XSS Also known as persistence XSS, Is the most dangerous kind of cross site scripting . It has a specific reflection type and DOM Type A has higher concealment , Reflex and DOM Both types need to be triggered manually , The storage type does not need .
principle
That allows users to store data Web Any application may have a storage type XSS Loophole , When an attacker submits a paragraph XSS After code , Accepted by the server and stored , When an attacker visits a page again , This paragraph XSS The code is read by the program and responded to the browser , cause XSS Cross Station attack , This is the storage type XSS.

Here is an example to illustrate the storage type XSS
Test whether there is XSS when , First, determine the input point and output point , for example , We're going to test... On the message content XSS Loophole , The first thing to do is to find the message output （ Show ） Is the place in the tag or in the tag attribute , Or somewhere else . If the output data is within the attribute , that XSS The code will not be executed .

<input type="text" name="content" value="<script>alert(document.cookie)</script>"/>

because XSS The code appears in value Properties of the , Treated as a value , Final browser resolution HTML when , The data will be output in the form of text in the web page .

After knowing the output point , You can construct according to the corresponding label HTML Code to close .
stay DVWA reflective XSS in , We type in js Code , Click submit to refresh the page

DOM type XSS

DOM Its full name is Document Object Model, The document object model . Use DOM It allows programs and scripts to dynamically access and update the content structure and style of documents .
Less harmful
Bloggers don't understand it yet , Not to mention ==