Shulou(Shulou.com)06/01 Report--

Introduction to Xss vulnerabilities:

Cross-Site Scripting, abbreviated as XSS or cross-site script or cross-site script gongji. It is a vulnerability gongji technology for websites or applications, and it is also a kind of code injection. It allows malicious users to inject code into the web page, which will affect other users when browsing the web page.

XSS gongji can be divided into three types: reflection type, storage type, and Dom type.

The principle and exploitation of XSS vulnerabilities:

Reflective XSS

Reflective XSS, also known as non-persistent XSS,gongji mode, is only one-time.

Gongji mode: the gongji user sends to the victim through a malicious link containing XSS code. When the victim accesses the connection, the server receives the request of the victim user and processes it, then the server sends the data with XSS code to the victim user's browser, and the browser parses the malicious script containing XSS code, which will trigger a XSS vulnerability and complete gongji.

Utilization

We use dvwa to demonstrate basic XSS utilization

Enter alert (/ xss/) in the input box and click submit to pop up

Storage XSS

Storage XSS, also known as persistent XSS, malicious scripts will be permanently stored in the server database or file.

Gongji way: see more with forums, blogs and website message boards. In the process of posting and leaving messages, gongji users inject malicious XSS scripts into the content together with normal information. As the posts and message boards are stored by the server, malicious XSS scripts will also be saved in the server. When other users browse posts or leave messages, malicious XSS scripts will be executed in their browsers.

Utilization

Enter alert (/ xss/) in the message box and click sign to pop up xss

View the page source code at this time

You can see that our malicious code is successfully saved on the server.

Dom type XSS

Full name Document Object Model, use DOM to enable programs and scripts to dynamically access the content, structure and style of updated documents.

Dom XSS is a special type of reflective XSS, which is based on a loophole in the DOM document object model.

Gongji mode: the user requests a specially designed link that is submitted by the gongji and contains malicious XSS code. The response of the server does not contain the script of the gongji in any form. When the victim's browser processes the response, the DOM object will handle the XSS malicious code.

Utilization

For the Dom XSS example in the figure, click replace for the input in the input box, and the input information will be replaced by "the input will be displayed here".

We enter it in the input box

Click replace to trigger XSS

# # here is the source code of Dom XSS vulnerability

Test

Function tihuan () {

Document.getElementById ("id1") [xss_clean] = document.getElementById ("dom_input") .value

}

The input will be displayed here.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.