Conversion of xss vulnerabilities

The SQL injection event is already the most troublesome attack method in the last century. The HTML injection vulnerability has emerged in the 21st century. With the rapid development of the web, the XSS vulnerability cannot be ignored, A Brief Introduction to the XSS vulnerability is caused by an XSS vulnerability where the user inputs it. For example, when posting a post, add a script to it.1. HTML tag injection:Html code <script> alert ('Hello World! ') </Script> it is very easy to use alert to output a Hello World text. If such a statement appears in the post content, the browser will execute the script: many websites filter user input to avoid XSS attacks. The most common is to convert <> to <and> ;, after conversion <> although it can be correctly displayed on the page, it cannot constitute a code statement. This seems thorough, because once <> converted, what <script src = 1.js> </script> will be converted to "& lt; script src = 1.js& gt; & lt; /script & gt; ", cannot be executed. Therefore, many people think that as long as the user's input does not constitute <>, the front and back labels cannot be closed, and the statements are certainly not harmful. However, everything is always possible. As long as there are certain conditions, we can construct encoded statements for XSS. I will mention hexadecimal, octal conversion, and hybrid conversion later.2. HTML property InjectionSo the programmer tried to block this vulnerability and filtered out the <script> </script> tag, so the JavaScript code will not be executed on the page, the hacker tried to inject html without the <script> tag. What happened? Yes: under normal circumstances, the src tag of img is an image URL pointing to a web server, but it can also be replaced: In this way, hackers bypass the filtering by programmers and successfully execute the XSS attack on programmers. Likewise, hackers filter the src attributes of user input, filter out the keywords starting with javascript and block the XSS temporarily.3. ASCII 10 hexadecimal conversion continues XSSJavascript: alert ("Hello world! ") Can be replaced by HTML 10-encoded ASCII: Format: & # (ASCII10-encoded); & #106; & #97; & #118; & #97; & #115; & #99; & #114; & #105; & #112; & #116;: alert ("Hello world! ") The img tag is changed to: ASCII 10 hexadecimal conversion, also suitable for HTML Tag injection: for example, put <script> alert (" Hello world "); </script> the label is converted to a 10-digit ASCII escape character: & #60 & #115 & #99 & #114 & #105 & #112 & #116 & #62 & #97 & #108 & #101 & #114 & #116 & #40 & #34 & #72 & #101 & #108 & #108 & #111 & #32 & #119 & #111 & #114 & #108 & #100 &# 34 & #41 & #59 & #60 & #47 & #115 & #99 & #114 & #105 & #112 & #116 & #62 "; next, use URL encoding to get: % 3C % 73% 63% 72% 69% 70% 3E % 74% 6C % 61% 65% 72% 74% 28% 22% 6C % 6C % 6F % 48% 6F % 65% 6C % 20% 77% 72% 3B % 3C % 2F % 73% 63% 72% 69% 70% 3E is then placed in the parameter: http://www.test.com/a=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%48%65%6C%6C%6F%20%77%6F%72%6C%64%22%29%3B%3C%2F%73%63%72%69%70%74%3E Then the programmer uses JSP to get the parameter www.2cto.com <% string str_a = rrequest. getParameter ("a"); %> var a = <% = str_a %> document. write (a); also causes XSS vulnerability 4. ASCII hexadecimal conversion format: & # x (ASCII16 hexadecimal encoding); it is the same as the 10-in-hexadecimal ASCII escape, but it is represented by a conversion rule.5. ASCII octal ConversionIn fact, there is another form of hexadecimal representation, which is similar to the octal format: \ x (ASCII hexadecimal encoding) Format: \ (ASCII octal encoding) for example: <script> alert ("Hello world! "); </Script> convert to hexadecimal: \ x3C \ x73 \ x63 \ x72 \ x69 \ x74 \ x74 \ x3E \ x61 \ x6C \ x65 \ x72 \ x74 \ x28 \ x22 \ x48 \ x65 \ x6C \ x6C \ x6F \ x20 \ x77 \ x6F \ x72 \ x6C \ x64 \ x21 \ x22 \ x29 \ x3B \ x3C \ x2F \ x73 \ x63 \ x72 \ x69 \ cross 7 \ x74 \ x3E octal is remove the x after, the numeric value can be converted to an octal value, so I am too lazy to convert it. If you are interested, try injecting it into HTML in the form of URL parameters or HTML attributes, XSS vulnerabilities6. Mixed conversion of octal, decimal, and hexadecimalThe same principle is true, but the numbers in a piece of code are mixed, freely constructed, and many combinations are made.7. Add obfuscation charactersThe purpose of this operation is to bypass the filtering of the programmer's code, and add some obfuscation escape characters. In the system control characters, except the header's & #00 (null) and the tail's (del) the other 31 characters can be mixed characters. For example, and other characters can be inserted to the header of javascript or vbscript. the Tab, line break, and carriage return can also be inserted to any place in the code, of course, it also includes a mix of uppercase and lowercase letters. Here I have excerpted some examples on the Internet: Example 1: '/insert to the Code header, which can be written as. Example 2: '/insert to any position in the code, which can be written as Example 3: '/is the hexadecimal format of the carriage return. Example 4: '/is the hexadecimal form of line breaks. These are common examples. They have many combinations and are varied. If you are interested, you can study them yourself :)