Common Techniques for XSS

Basically what you do after discovering an XSS vulnerability is this:

1. Forgery request using $_request or $_get
First we have to find the site using the program is not found on the Internet source, if you can find the source code, then analyze the background administrator to change the password or add the Administrator's page, and then analyze whether the administrator is using the $_request receive parameters, if so, we use the XSS vulnerability to construct a request , such as HTML code can be used in the front desk message, then we embed an IMG element:

When an administrator logs on to the admin background and sees the page containing IMG, it forges a request to add a background administrator, and the request is sent by the administrator, so a new administrator is added smoothly.

If you are a visual text editor, you can try using input:

Http://www.123.com/xxx.jpg "onload=" window.open ('/admin/admin_add.asp?name=xxx&psd=yyy ')

This will eventually construct the following:



In short, to extrapolate.


2. Forgery request using $_post

The first method is invalid when the background receives a variable that adds an administrator or changes the admin password, and we do not, depending on the situation, if we do not filter the <SCRIPT&GT, we can forge the request by means of Ajax, such as: $_post

<sc/*xss*/ript type= "Text/javascript" >

var aj = new ActiveXObject ("MSXML2. xmlhttp.3.0 ");

Aj.open ("POST", "/admin/admin_add.asp", false);

var postdata = ' name=xxx&psd=yyy ';

Aj.setrequestheader ("Content-type", "application/x-www-form-urlencoded");

Aj.send (PostData);

</scr/*xss*/ipt>

/*xss*/is an HTML comment that bypasses simple filtering of script code blocks.


3. Cross-site forgery requests using $_get or $_request


Similar to the first way to forge a request, but the first forgery request is made using an XSS vulnerability in the station, and cross-site forgery is initiated outside the station, for example, I put such a picture on the homepage of my blog



Then I ran to Dvbbs on the post, "seduce" the webmaster of the Network forum to my blog, if the Network forum administrator has logged into his management background, and then use the shared process browser (currently based on the IE kernel myie, Maxton and so on and Firefox are all shared processes) to visit my blog, then his backstage will be added to a user.



4. Cross-site forgery request using $_post (0day)

If the intrusion target management background uses the $_post way to accept variables, then we can not cross-station in our site using Ajax post way to submit data in the past, because Ajax is not cross-domain.


But we can put a form on our website, fill in the good data, form action is to exploit the vulnerable page, and then when someone opens the page, we use JS control the form for Submit,ajax although not cross-domain, But submitting a form to an address outside the domain is always possible.


In short, the 3rd, 4 methods of success is smaller, because we have to find a way to let the administrator already logged in to their own background, using the shared session browser to access our bogus request page, there is a little social engineering technical content

Common Techniques for XSS