XSS attack misunderstanding details

[Theoretical explanation]
00 × 00What isXSSAttack?




00 × 01Misunderstandings
Misunderstanding 1: XSS is not a special "Bypass" restriction.
For a simple example, a door that has been guarded by layers, countless thorns in front of it
And how did you go in with one click? At this time, you must realize that it is impossible to go through the door.
In fact, we need to break through the Anti-DDoS pro, there are a lot of small doors that can go in, or even directly walk in without any means. Why don't we leave?
XSS is a good defense, not just filtering, so we should not put too much hope on the filtering logic that is wrong with the programmer, but should pin our hope on the programmer's "forgot to filter ".
Misunderstanding 2: XSS not only exists in what you can see
Most new users will enter XSS code in some comment boxes when looking for XSS.
Then check whether the page has a pop-up window. Of course, this method is not useful, but this method.
It is almost difficult to "Touch" An XSS. Therefore, many new users may think that XSS is so difficult to find.
There are several reasons:
A): The location you can think of, such as the comment box and personal data, can also be thought of by programmers with A little bit of security awareness, so it is often filtered out.
B): the information you fill in is not always output to the page in the form of HTML tags. So sometimes it is not because the information you fill in is incorrect.
There are two aspects invisible:
A) the input is invisible.
We recommend that you use the packet capture software when submitting a request, and then test the Request Parameters one by one.
B) the output is invisible.
We recommend that you use the packet capture software to capture the returned data and search for the data you have entered to locate the invisible output. in chrome, you can search for [resource] in the browser debugging tool.
Misunderstanding 3: XSS, bypassing restrictions does not allow you to use characters to bypass, do not blindly
When someone sees the code as <a href = "xxxx \ u0022">, they ask their shoes: "Why \ u0022? This bypass is blind.
In the early stage of the test, if we do not want to look at the code logic of the other party, we can use a "blind" approach to test (use various special characters to test)
This saves a lot of time. However, when we can determine the point where the data output is located, for example, the above xxxx
We already know that when the output is between href = ", we cannot blindly" Bypass "and must be targeted. This is mainly targeted at the following points:
A) whether the output point is the direct output or the DOM.
The simple and popular saying is:
The former can be right-clicked to view the source code and found
The latter cannot be found by right-clicking the source code.
B) whether the output point is in the HTML Tag, Script, or Style.
HTML tags are divided:
Between HTML tags: <div> content here </div>
Or between HTML attributes:
Between HTML events:
Script/style labels:
Construct and close based on the output to ensure correct syntax.
C) DOM output point, which requires a certain JS Foundation
C.1) locate the JS Code segment of the output content
C.2) check whether there is a filtering problem in this code segment.
C.3) If so, develop bypassing rules
D) What filtering rules are used for output points?
D.1) learn more about B)
What character should I filter for each vertex?
How can I use it if no characters are filtered?
D.2) one-by-one test method to see which characters are filtered by the target output point.
D.3) test some server-side conversion logic. For example, some servers first convert & quot;"
D.4) Determine whether the service can be bypassed. if the service cannot be bypassed, give up as soon as possible.
00 × 03Summary
In short, you must first understand how to defend, so that you can understand, how to bypass, and not blindly
Among them, B + D rules are basically dead, and sometimes some server-side filtering logic problems can be bypassed.
Especially when the server uses the blacklist,. C is more flexible. The so-called "Bypass" is usually used for such