Analysis of XSS (Cross Site Script) vulnerability principles

Recently, some people frequently show off in their blogs that they have hacked XX portal websites and discovered the vulnerabilities on XX websites. They have to charge fees for discovering the vulnerabilities, it's all about the alert message box, but it simply triggers XSS, which is hard to handle. So I wrote this article to explain my understanding of the principles of cross-site scripting.

If you do not know what XSS is, let me help you explain that XSS stands for Cross Site Scripting, meaning Cross-Site Scripting. the first word is Cross. Why is it abbreviated as X? Because CSS is the abbreviation of Cascading Style Sheet, and Cross is pronounced similar to X, it is abbreviated as XSS to avoid confusion. In fact, I think it is quite appropriate to call XSS, because AJAX is now popular. Many new cross-site scripting techniques are not compatible with XMLHTTP controls, let's only talk about the principle. Next I will analyze the XSS principle in two parts:

I. XSS trigger conditions

To understand the XSS trigger conditions, you must first start with HTML (Hypertext Markup Language). All the web pages we browse are created based on hypertext markup language, such as displaying a hyperlink:

<A href = "it168/> http://safe.it168.com"> IT168 Security Channel </A>

The XSS principle is to inject scripts into HTML. HTML specifies the script tag <script> </script>. when no characters are filtered, you only need to keep the complete and error-free script tag to trigger XSS. If we submit content in a data form, the content of a form submission is the value assigned by a tag attribute. We can construct the following values to close and tag to construct a complete script tag without errors,

"> <Script> alert (XSS); </script> <"

The result is A mark such as <a href = ""> <script> alert (XSS); </script> <"> here, the blog of eggplant Bao </A>, :) This is very similar to SQL injection!

The mark where the test close and form assignment are located. A complete and error-free script mark can trigger XSS, but no script mark. How can I trigger XSS? We have to use other tags. If we want to display an image on a webpage, we need to use a tag, for example:

The img mark does not really add an image to an Html document to combine the two into one. Instead, it assigns a value through the src attribute. The browser's task is to interpret the img mark, access the URL address in the value assigned by the src attribute, and output the image. Question! Will the browser check the value assigned by the src attribute? Answer! So we can make a big fuss here. comrades who have been familiar with javascript should know that javascript has a URL pseudo protocol that can be used to add arbitrary javascript code to the Protocol specifiers such as "javascript, when the browser loads such a URL, the code is executed. so we can get a classic XSS example:

1

Of course, not all marked attributes can be used. Be careful, you should find that the marked attributes are triggered only when the file is accessed. Here I will not go into depth, because the attribute of the exit tag and the event can help us trigger XSS. what is an event? An event is triggered only when a condition is reached. It happens that the img mark an onerror () event that can be exploited. When the img mark contains an onerror () the event is triggered when the image is not properly output, and any script code can be added to the event, and the code will be executed. now we have another classic XSS example:

2

Based on this part, we know that the XSS trigger conditions include: complete and error-free script tag, access file tag attributes, and trigger events.

Ii. Filtering Problems Caused by XSS Transcoding

Website programmers will certainly not let everyone use XSS if there are attacks. Therefore, they often filter key characters similar to javascript, so that everyone cannot construct their own XSS, here I will refer to two ignored characters, which are "&" and "". first, the "&" character is known to anyone who has played SQL injection. The injection statement can be converted into a hexadecimal system and then assigned to a variable for running, XSS transcoding is similar to this, because our IE browser uses UNICODE encoding by default and HTML encoding can be written in the & # ASCII format, this type of XSS transcoding supports both hexadecimal and hexadecimal. SQL Injection transcoding assigns a hexadecimal string to a variable, while XSS transcoding assigns the attribute value, next I will take the example:

('Xsss'); "> // 10-digit transcoding 3

# X74 ('xss'); "> // hexadecimal transcoding.

The & # separator can be added with 0 to the form of "j", and "j.

However, this "" character exposes a severe XSS 0-day vulnerability, which is highly correlated with the Cascading Style Sheet, let's take a look at this vulnerability. Let's take a javascript eval function example. The official website defines this function as follows:

Eval (codeString), required. The codestring parameter is a string value that contains valid JScript code. This string will be analyzed and executed by the JScript analyzer.

The "" character in JavaScript is an escape character, so you can use "" to connect a hexadecimal string to run the code.

<Script language = "JavaScript">
Eval ("external ")
</SCRIPT> the terrorism is that the style sheet also supports analyzing and interpreting the hexadecimal string format connected to "", which can be properly interpreted by the browser. Let's create an experiment: Write a CSS Tag that specifies an image as the webpage Background:

<Html>
<Body>
<Style>
BODY {background: url (http://up.2cto.com/Article/201103/20110330123053137.gif )}
</Style>
<Body>
<Html>

Save as HTM, And the browser is displayed normally.

Convert the background property value to a hex string connected to the "" format. It is displayed as normal when the browser is opened.

<Html>
<Body>
<Style>
BODY {background: 75366c28687474703a2f2f3132372e302e302e312f7873732e67696629}
</Style>
<Body>
<Html>

In the first part of this article, I have already said that the XSS trigger condition includes the tag attribute of the access file, so it is not difficult to construct

Such an XSS statement. With the results of the experiment, we can perform XSS transcoding on the CSS style sheet tag. the browser will help us explain the TAG content. XSS statement example:

see Figure 4

Editor's note:XSS attacks and their terrible nature and flexibility are favored by hackers. For XSS attacks, the editor provides the following security suggestions to common WEB users and WEB application developers:

Web User

1. Be extremely careful when you click a link in an email or instant messaging software: Pay attention to suspicious long links, especially those that seem to contain HTML code. If you have doubts about it, You can manually enter the domain name in the browser address bar, And Then browse the information you want through the link on the page.

2. No web browser has obvious security advantages for XSS vulnerabilities. Firefox is also insecure. For more security, you can install some browser plug-ins, such as Firefox's NoScript or Netcraft toolbar.

3. There is no "100% valid" in the world ". Avoid accessing problematic websites, such as websites that provide hack information and tools, crack software, and adult photos. These types of websites exploit browser vulnerabilities and endanger the operating system.

Web application developers

1. Developers should first focus on reliable input verification for content submitted by all users. The submitted content includes URL, query keyword, http header, and post data. Only Accept the characters you want within the length range specified by you, in the appropriate format. Blocking and filtering