Cross-site Script

Cross-site Script (cross-site scripting) XSS is organized in the "Analysis of the principle of XSS" in the "Introduction to the" code for XSS, the trigger condition of the attack is to start from HTML (Hypertext Markup Language), the pages we are browsing are all based on Hypertext Markup language created, If a hyperlink is displayed:

<a href= "http://safe.it168.com" >it168 security channel </A>

And the principle of XSS is to inject script into HTML, HTML specifies script tag <script></script> In the absence of filter characters, you only need to keep the full error-free script tag to trigger XSS. If we submit content in a data form, the form submission is the value assigned to a tag attribute, we can construct a complete error-free script tag by constructing the following values to close and tag.

"><script>alert (XSS);</script><"

Results formed <a href= "" ><script>alert (XSS);</script> < "" > Eggplant Treasure's blog here </A> such a tag,:) Here and SQL injection is very much like!

Test the tags where the closed and form assignments are, and form a complete error-free script tag that triggers XSS, but does not have a script tag to trigger XSS? Oh, we have to use other marks, if you want to display a picture in the Web page, then we should use a tag, the example is as follows:

The IMG tag does not really add the picture to the HTML document, but instead, it is assigned by the SRC attribute. Then the browser's task is to interpret the IMG tag, access the URL address in the value assigned by the SRC attribute, and output the image. Here's the problem! Will the browser detect the value assigned to the SRC attribute? The answer is NO! Then we can make a fuss here, the comrade who has touched JavaScript should know thatJavaScript has a URL pseudo-protocol, you can use "javascript:" This protocol specifier plus arbitrary JavaScript code, When the browser loads such a URL, it executes the code in it . So we came up with a classic example of XSS:

A

Of course not all of the attributes of the tag can be used, and carefully you should find that the tagged attributes are only triggered by the XSS in accessing the file, and here I don't go deep, because the attributes that leave the tag and events can help us trigger XSS. What is an event? The event is raised only when a certain condition is reached, and it happens that the IMG tag has an onerror () event that can be exploited when the IMG tag contains a onerror () event and the image does not have a normal output to trigger the event, and the event can include arbitrary script code. The code is also executed. Now we've got another classic example of XSS:

II

In this section, we know that the triggering conditions for XSS include: Full error-Free script tags, access to file tag properties, and trigger events

Second, the problem of filtering caused by XSS transcoding

There is a defense, website programmers will not let everyone use XSS, so they often filter like JavaScript key characters, so that people can not build their own XSS, I here to pick two ignored characters to say that they are "& " and " " first of all, "&" characters, played by SQL injection know that the injected statement can be converted to 16 and then assign to a variable to run, XSS transcoding and this is really similar, because our IE browser by default is Unicode encoding , HTML encoding can be used & #ASCII方式来写, this XSS transcoding support 10 and 16, the SQL injection transcoding is to assign a 16 binary string to a variable, and the XSS transcoding is the value assigned to the property, below I take Example:

(' XSS '); >//10 binary transcoding three

#x74 & #x28 & #x27 & #x58 & #x53 & #x53 & #x27 & #x29 & #x3b ">//16 transcoding.

This & #分隔符还可以继续加0变成 "J", "J", "J", "J" and other forms.

And this "" character has exposed a serious XSS 0DAY vulnerability, this vulnerability and CSS (cascading style Sheets) cascading style sheet has a large association, the following I would like to look at this vulnerability, first of all, to give a JavaScript eval Example of a function, which is the official definition of this function:

Eval (codestring), the mandatory option codestring parameter is a string value that contains valid JScript code. This string will be parsed and executed by the JScript parser.

The "" character in our JavaScript is an escape character, so you can run code using the "" Connect 16 binary string

<script language= "JavaScript" >
Eval ("x6ax61x76x61x73x63x72x69x70x74x3ax61x6cx65x72x74x28x22x58x53x53x22x29")
</SCRIPT> Horror is that the stylesheet also supports parsing and interpreting "" connected 16 binary string forms, which the browser can interpret normally. Let's do an experiment: write a CSS tag that specifies a picture as the background of a Web page:

<body>
<style>
BODY {Background:url (http://up.2cto.com/Article/201103/20110330123053137.gif)}
</style>
<body>

Save as HTM and the browser opens to show normal.

The conversion Background property value is "" in the form of a 16 binary string, and the browser open also appears normal.

<body>
<style>
BODY {background:75726c28687474703a2f2f3132372e302e302e312f7873732e67696629}
</style>
<body>

In the first part of the article I've already said that the triggering conditions for XSS include accessing the tag attributes of a file, so it's not difficult to construct

Such an XSS statement. With the results of the experiment, we can also code the CSS stylesheet for XSS transcoding, the browser will help us explain the tag content, an example of an XSS statement:

See Figure Four

Cross-site Script