Hacker writes JS in this way.

Note * XSS attacks are Cross Site Scripting. JS code is usually injected into the Url of the webpage link to achieve the attack method. Many large companies have made some moves, such as Twitter, Sina Weibo, and sample code: http://www.demo.cn // = <script> alert (document. cookie) </script> In fact, this Code cannot be executed in all browsers, but only a part of browsers (such as IE6) are available to achieve the attack effect. At present, many websites have the function of automatically filtering XSS code. This article introduces some methods to block XSS filters. In fact, we can find that, most of the XSS filters executed on the front end are insecure, which is of some reference to prevent XSS attacks.

Introduction

I like to use JavaScript in an unexpected way and write code that looks strange but actually works. These code can often execute unexpected functions. This sounds a little insignificant, but based on this discovery, it is enough to summarize some very useful programming skills. Each of the following tips can block XSS filters, which is the original intention of writing these codes. However, learning such JavaScript code can significantly enhance your understanding of the language itself, help you better process input, and improve the security of Web applications.

Let's take a look at these amazing JavaScript code!

Replace executable code with regular expressions

When a regular expression with replace is used, the second parameter supports function assignment. In Opera, you can use this parameter to execute code. For example, the following code snippet:

'XSS'.replace(/XSS/g,alert)

The result of this execution will be equivalent to: alert ('xss'); the reason for this is that the matching item of the regular expression is treated as a parameter and passed to the alert function. In general, you will use one function to call another piece of code in matching text, like this:

'somestring'.replace(/some/,function($1){    //do something with some })

However, as shown in the first example, we executed a local alert call, instead of a user-defined function, and the parameters were passed to the local call by a regular expression. This is a cool technique to block some XSS filters. For example, first write a string and then click "Mao" to call any function you want to call.

Let's take a look at how this is used in the XSS environment. Imagine: We have unfiltered attack code in the string, which may be a JavaScript event or a script tag, that is, an injection is displayed in this string. First, we inject an effective function alert (1), then we break through the limit of this quotation mark, and finally write our regular expression.

.replace(/.+/,eval)//

Note that I use the eval function here to execute any code I want to execute and the regular expression must match all items in order to pass the attack code to eval.

If I put all the Code together to display the output of this page, it will be easier to understand this process:

Page output:

<script>somevariableUnfiltered="YOUR INPUT"</script>

The above code is very common in analysis scripts. All the strings you search online are stored in such analysis scripts by some advertising companies. You may not have noticed these scripts, But if you observe the source of a Web page, you will find that this occurs frequently. In addition, forums often use these scripts. "Your input" is the string you control. If the input is not properly filtered, it is also called DOM-based XSS injection. (Note: DOM, which expresses HTML documents as a tree structure, usually an HTML structure)

 

Input:

alert(1)".replace(/.+/,eval)//

Output result:

<script>somevariableUnfiltered="alert(1)".replace(/.+/,eval)//"</script>

Note that "//" is used to clear the single line comment referenced later.

Unicode escape

Although it is unlikely to use parentheses to escape Unicode characters, we can escape the name of the function being called. For example:

\u0061\u006c\u0065\u0072\u0074(1)

This Code calls alert (1); \ utable indicates that this is an escape character, and the hexadecimal number after \ u0061 is "".

In addition, regular characters can be mixed or matched with escape characters. The following example shows this:

\u0061lert(1)

You can also include them in strings or even evaluate them with eval. Unicode conversion differs from conventional hexadecimal or octal escape, because Unicode escape can be contained in a string or referenced in a function, variable, or object.

The following example shows how to use Unicode escape that is evaluated and divided into two parts.

eval('\\u'+'0061'+'lert(1)')

By avoiding regular functions like alert, we can fool the XSS filter to inject our code. This example is used to bypass PHPIDS (an open-source IDS system) and eventually make the rules more robust. To analyze the malicious code that may run, you need to consider filtering as many encoding methods as possible when decoding JavaScript. As shown in this example, this is not an easy task.

JavaScript parser Engine

JavaScript is a very dynamic language. A large amount of code can be executed. The Code does not seem to be executed at first glance. However, once you understand the working principle of the parser, You can gradually understand the logic behind it.

JavaScript does not know the function result before executing the function, and obviously it must return the type of the variable by calling the function. This is interesting. For example, if the returned function cannot return a valid value of the code block, a syntax error occurs after the function is executed.

What exactly does it mean? Okay! The code is always more convincing than empty talk. Let's look at the example below:

+alert(1)--

After the alert function is executed, an undefined amount is returned. However, it is a bit too late and a syntax error occurs immediately, because the operand of the auto-subtraction operator should be a number.

The following are examples that do not produce errors:

+alert(1) 1/alert(1) alert(1)>>>/abc/

You may think the above examples are meaningless, but they actually reflect the JavaScript process. Once you understand these details, the big JavaScript guy will become clear. Understanding how code is executed can help you understand how the parser works. I think this type of example is used to track syntax errors and detect DOM-based XSS.

It is useful when attacking and detecting XSS filters.

 

Throw, Delete what else?

You can delete objects in unexpected ways, which produces some odd syntax. Let's see what happens when the throw, delete, not, And typeof operators are combined?

throwdelete~typeof~alert(1)

You may think that this Code cannot be run, but you can still execute it by calling the delete function:

deletealert(1)

Here are more examples:

delete~[a=alert]/deletea(1)delete[a=alert],deletea(1)

At first glance, you will think that such code has a syntax error, but after careful analysis, you think there will be some truth. The parser first finds the variable assignment in an array, and then deletes the array after performing the assignment operation. Similarly, the delete operation is called after a function (note * [a = alert]), because the delete operation must know the function execution result before deleting the returned object, even if NULL is returned.

At the same time, these codes can be used to block XSS filters because they often try to match valid syntaxes and do not want the code to be too obscure. When your application performs data verification, consider this example.

Declare Global Objects

In specific instances that shield XSS filters, attack code is often hidden in a variable similar to English text. SMART systems, such as PHPIDS, can use syntax analysis to compare and determine whether an access request is a malicious attack. This is a useful way to test these systems.

A code block similar to English can be generated only when a global object or function is used. In fact, on the sla. ckers Security Forum, we can play a small game to generate sentences similar to English in the form of JavaScript. For more information, see the following example:

stop, open, print && alert(1)

I wrote a name called Javascriptlish, because it can generate some seemingly incredible code:

javascript : /is/^{ a : ' weird ' }[' & wonderful ']/" language " the_fun: ['never '] + stop['s']

We use the regular expression/is/to keep up with the operator ^, and then create an object {a: 'weird'} (with a property and a value of weird ). Search for the '& wonderful' attribute in the object we just created. This attribute is then separated by a string of characters.

Next we will use an identifier named the_fun and an array with never, and use a global function named stop to check the attributes of s.... All these are correct syntax.

Getters/Setters Function

When custom syntax for setters is added to Firefox, some interesting XSS injection without circular arc is blocked. Opera does not yet support custom syntaxes-this is an advantage for security, but it is not a good news for JavaScript hackers. However, Opera supports the standard defineSetter syntax. This allows us to call functions by assigning values, which also blocks XSS filters.

defineSetter('x',alert);x=1;

If you do not know setters/getters, the above example creates a set-value function for the global variable x. When a variable is set, the setvalue function is called. The second alert parameter is the function call value. In this way, when x is assigned to 1, the alert function is called and 1 is used as the parameter.

Location allows url Encoding

 

The location object allows the url to be encoded in JavaScript. This allows you to further mask XSS injection through dual encoding.

location='javascript：%61%6c%65%72%74%28%31%29'

Combining them with escape characters can effectively hide strings.

location='javascript：%5c%75%30%30%36%31%5c%75%30%30%36%63%5c %75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)'

The first example is feasible because the address bar of Opera can recognize the encoded address string. By using URL encoding, you can hide JavaScript code. This is useful, especially when XSS attack code is passed, we can perform dual URL encoding to further block filtering.

The second example combines the first example using the Escape Character technique. Therefore, when you decode the string, the alert function is displayed as follows:

\u0061\u006c\u0065\u0072\u0074

Note * the ASCII code of a is 0x61.