What is an xss vulnerability?
XSS, also known as CSS, is abbreviated as CrossSite Script, which means cross-site scripting attacks in Chinese. The specific content refers to malicious attackers inserting malicious html code into Web pages, when a user browses this page, the html code embedded in the Web is executed to achieve the Special Purpose of malicious users.
Hazards of xss vulnerabilities
Obtain user cookies
Modify page information
Browser hijacking
Integration with other vulnerabilities (for example, csrf vulnerabilities)
Others
How xss vulnerabilities are generated
Common Code of the following Velocity template VM
<Span> $! ProductName </span>
<Script> var from = '$! Rundata. Parameters. getString ('from') '; </script>
For the first type of code, we can enter the variable
<Iframe src = http://www.bkjia.com> </iframe>
The first type of code will become
<Span> <iframesrc = http: // www.2cto.com> </iframe> </span>
For the second type of code, we can enter the variable
'; HackerFunction (document. cookie );'
The second type of code will become
<Script> var from = "; hackerFunction (document. cookie);"; </script>
The above two types of code are easily implanted with malicious scripts, that is, the legendary xss vulnerability is generated.
Xss vulnerabilities can be prevented through escapeHtml and JavaScript escaping
After escaping, the above Code will become
<Span> <iframe src & javasshttp & colon & sol & solhacker & periodcom> <& soliframe> </span>
After escaping, the malicious script code entered by the user will not be executed, so as to prevent and fix it.
Xss vulnerability Verification
The basic method for determining xss vulnerabilities is to use attack strings for verification, for example, "> <script> alert (document. cookie) </script> the string is submitted to every parameter of each application. At the same time, the attacker monitors the response of this input. If the Attack String is in the response, it is almost certain that the application has an xss vulnerability.
Black box manual testing
Page Test with input box
For non-Rich Text, enter special characters in the input box <"hack"> submit
On the submitted page, check the source code and find the <"> 'before and after the hack in the source code based on the keyword hack.
<"> & If apos is not escaped, the input box is suspected of being vulnerable to xss (submitting a bug ).
Enter in the rich text input box to submit the page, if there is a typographical problem or js error on the page, it indicates that the input box has the xss Vulnerability (submit the bug ).
In some cases, the above basic method may fail to determine the xss vulnerability in the application, and the application needs to be copied for testing. Many applications implement blacklist-based filtering and try to prevent xss attacks. Normally, these filters search for expressions such as <script> in Request Parameters and take some defense measures, such as deleting it or performing encoding conversion, or blocking such requests completely. The basic attack strings used in the basic detection method are often blocked by these filters. However, you can exploit the xss vulnerability if you do not use the script tag.
To filter xss vulnerabilities implemented by applications, we can try to avoid them through various methods, such:
"> <Script> alert (document. cookie) </script> for complete string filtering, you can skip it with a space.
"> <SCrIpt> alert (document. cookie) </script> can also be used to determine whether the case sensitivity is different.
"% 3e % 3 cscript % 3 ealert (document. cookie) </script> encode and try to skip
"> <SC <script> rept> alert (document. cookie) </script> if only one script string is filtered, you can try nested methods to avoid filtering.
Test Page Link Parameters
Links with parameters such:
Http://mall.taobao.com /? Ad_id = & am_id = & cm_id = & pm_id =
This link contains four parameters. For this test method, just like the test method in the input box, the parameter is treated as your input box.
Submit. For example:
Http://mall.taobao.com /? Ad_id = <"hack '> & am_id = & cm_id = & pm_id =
Black box Tool Testing
Recommended tools
Paros (free)
Acunetix. Web. Vulnerability. Vendor (commercial tool)
White box code scanning Test
<Span> $! ProductName </span>
This type of non-Rich Text code is required to be:
<Span> $! StringEscapeUtil. escapeHtml ($! ProductName) </span>
For rich text, we can force the code to be filtered by the filter layer.
Based on the above two rules, we can perform static scanning on the white box code to prevent and filter xss vulnerabilities.
Alternative XSS
Linux filename xss
1. File Name
We all know that in windows, there are rules for file names and some reserved characters are defined. They are:
<(Less)
> (Greater)
: (Colon)
"(Double quote)
/(Forward slash)
\ (Backslash)
| (Vertical bar or pipe)
? (Question mark)
* (Asterisk)
In linux, most of these characters are not restricted and can be defined at will. Therefore, we can store XSS Pyload in the file name ,:
We can see that xss pyload is successfully stored in the file name.
Ii. Attack
Most of the time, the various code environments make it possible for us to launch attacks. Check the following PHP file upload code:
<? Php
If ($ _ FILES ["file"] ["error"]> 0)
{
Echo "Error:". $ _ FILES ["file"] ["error"]. "<br/> ";
}
Else
{
Echo "Upload:". $ _ FILES ["file"] ["name"]. "<br/> ";
Echo "Type:". $ _ FILES ["file"] ["type"]. "<br/> ";
Echo "Size:". ($ _ FILES ["file"] ["size"]/1024). "Kb <br/> ";
Echo "Storedin:". $ _ FILES ["file"] ["tmp_name"];
}
?>
<Html>
<Body>
<Form action = "" method = "post" enctype = "multipart/form-data">
<Label for = "file"> Filename: </label>
<Input type = "file" name = "file" id = "file"/>
<Br/>
<Input type = "submit" name = "submit" value = "Submit"/>
</Form>
</Body>
</Html>
When the file is uploaded successfully, the program outputs the file information. At this time, the file name is not processed. If we upload the file name of the defined special character and output it through the program, we can attack it ,:
We can see that the attack was successful! Not all upload locations exist. Only the following conditions must be met:
1. An original output is made before the file is uploaded and saved.
2. Store them directly by the original file name.
3. Check the program logic for other specific environments.
4. web server is linux.
5. Upload the attacker to linux.
Sample Code: http://code.google.com/p/madal-example-project/source/browse/trunk/controllers/image_uploader.php? R = 2
For more information, see http://code.google.com/query/?q===_files=%22file=22???=22name=22].
Online attack test: http://www.woyigui.cn/fileupload.php
Iii. Prevention
1. Save as a random file name during storage.
2. After processing the file name at any time, the file name can be output after html encoding.
Refer:
Http://msdn.microsoft.com/en-us/library/aa365247%28VS.85%29.aspx