recently, the forum above the XSS, everywhere can see the traces of XSS, the previous period of time the Forum also appeared on the signs of XSS. Then I don't know how to wait for the side dishes. There is no way only to help the mother and Google this couple.
Can say that the side dish also understood some, dare not hide privately, therefore issued everybody to study, the discussion.
Here is the text:
0x00:xss's origins
Remember to read an article before, so to describe the XSS "if the browser as the WEB2.0 era of operating system, then the client script is equivalent to the traditional application, and the attack of XSS is tantamount to the attacker's system to execute a Trojan horse program." But this "Trojan" has a great disadvantage, is not like the traditional Trojan in the operating system to make a home, after the automatic execution. ”
This may be the best explanation for XSS, but what exactly is XSS? Here is a glimpse of its mysterious face with a side dish.
The XSS is also called the CSS (cross site script), which is an attack by the site. It refers to a malicious attacker inserting malicious HTML code into a Web page, and when the user browses to the page, the HTML code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.
Why does XSS appear, this is nothing to say, it must be the filter is not strict, or is the program ape think that XSS is not a practical purpose, thus ignoring the generation of XSS attacks. For example, in a search box, for the input data without a bit of filtering, then we submit the following statement
<script>alert (' Test ') </script>
As a result, you should all know that the page pops up a dialog box.
I remember that when I first started to get interested in hacking technology, that was the point where XSS was just entertainment.
Types of 0X01:XSS
The type of XSS is typically three types:
The first type: Reflective XSS
This XSS, cross-site code usually exists in a link, when the attacker accesses such a connection, the cross-site code is executed, such cross-site code is generally not stored on the server
Second type: storage-type XSS
This XSS is convenient to use, the cross-site code will be stored in the database above the server, in other words, can be sustained attacks, also known as persistent XSS
The Third Kind: is the DOM-based XSS
This is a security issue caused by incorrect parsing of the client script itself
0x02: The attack principle of reflection-type XSS
Reflective XSS is one of the most common and widely used methods. It sends a URL with malicious script code parameters to others, and when the URL address is opened, the unique malicious code parameter is parsed and executed by HTML. It is characterized by non-persistence and must be clicked by a user with a link with a specific parameter.
Since it is a cross-site that requires user clicks to trigger, it will test your level of flicker, like an XSS attack on a previous time forum, a reflex XSS attack that is triggered by a transfer and then viewed by an attacker.
Again such as:
Http://searchb.dangdang.com/?key=f ', true,1); alert (1);//
This is often a dark cloud should not be unfamiliar, this is a typical reflective XSS, you need to persuade users to click on the link, XSS code is not stored on the server side. So the attack does not last.
Common test methods:
For the entire input (specifically, the entire HTTP request is input, and the data that is taken from the database is actually input.) HTTP requests, including GET, post parameters, Cookie,url, Referer of the head, and so on, can be done in each place,
1. Construct a unique string yourself, for example: myxsstestxxxx
2. Replace an input item (such as a parameter) with the above string
3. See if the HTTP corresponds to this string, and record it
4. Depending on the HTML context, which type of string to try, try to attack the string, and then resubmit the request
5. If you can find the appropriate attack string to indicate that the vulnerability is present, the key here is the fourth step, because the server side may make some restrictions, such as encode or length limits, when testing the need to find ways to see if the limit can be bypassed.
0x03: The attack principle of storage-type XSS
The storage type is the attack script is stored in the database or file, the server side (may be other applications or other pages) after reading the contents of the store back, is the storage type. In this case the user may directly open the normal page and see the injected
It's a simple principle, actually.
The XSS code is presented to the website--the web site stores the XSS code into the database, and when the page is requested again, the server sends the data that has been implanted into the XSS code to the client-side execution of the XSS code
A more common example is to insert the XSS code on the message board, if the message content is not properly filtered
Want to add [/code]<script>alert (' Test ') to the content </script>[/code]
This will pop up the dialog box, of course, as long as the content can be added to the place, you can try XSS, such as QQ space in the dress, there is a custom module, you can select the picture, and then add the following code
Javascript:alert (' XSS ') '
Of course, it is possible to execute the premise that the service-side code is written like this
A=get[a]
There are many ways to use it, such as the now-emerging XSS platform, creating a new project, and you can do a lot of things.
0X04:XSS BASED DOM
dom-based XSS Vulnerability is a vulnerability based on Document Object model documents Objeet model,dom). The DOM is a platform-agnostic interface that allows programs or scripts to dynamically access and update document content, structure, and style, and the processed results become part of the display page. There are many objects in the DOM, some of which users can manipulate, such as URIs, Location,refelter, and so on. The client's script can dynamically check and modify the page content through the DOM, it does not depend on the submission of data to the server side, and the data from the client to get the DOM is executed locally, if the data in the DOM is not strictly confirmed, it will produce dom-based XSS vulnerability.
Dom-based XSS attacks originate from DOM-related properties and methods, and are inserted into scripts for XSS attacks. A typical example is as follows:
HTTP request http://www. Xss.com/hello.html?name=test uses the following script to print out the name of the logged-on user test, i.e.
<SCRIPT>
var pos=docmnent. URL. IndexOf ("name=") +5;
Document Write (document. URL. SUBSTRING (pos,document. URL. 1ength));
</script>
If this script is used to request http://www. Xss.com/hello. Html?name=<script>alert (' Test ') </script>,
Causes an XSS attack to occur.
When the user clicks on this link, the server returns the HTML static text containing the script above, and the user's browser parses the HTML text into the URL of the Document object URL property in the Dom,dom as the value of the current page. When the script is parsed, part of the URL property value is written to the HTML text, which is the JavaScript script, which makes <script>alert (' test ') </script> becomes the HTML text that the page eventually displays, causing dom-base XSS attacks to occur.
the precautionary method of 0X05:XSS
The above simply said a variety of XSS principle, as well as the simplest way to use, of course, some advanced XSS utilization techniques, this will not be involved, give people to fish than to give people to fishing. Also rely on you to ponder. Let's briefly talk about the prevention of XSS.
The reason why XSS is so prevalent today is why. I think we should all know that the input is not a strict filter, and in the output, there is no check, escape, replacement, etc.
So the precautionary approach is, do not trust the input of any user, the input of each user to do a rigorous check, filtering, in the output, some special characters to escape, replace, etc.
0x06: A brief talk on CSRF attack
In fact, I never know what CSRF is, until that Phpmywind was fixed official website, I only notice this attack method, after that, through degrees Niang, Google this pair of good couple, slowly understand a bit
CSRF is an attack that forges client requests, and CSRF's English name is cross site request forgery, which literally means the request is forged across sites. This attack was made by foreign security personnel in 2000 and was not followed until the beginning of 06.
The definition of CSRF is to force the victim's browser to send a request to a vulnerable Web application and finally reach the action required by the attacker.
CSRF vulnerability attacks are generally divided into two types: inside and outside of the station.
CSRF Station type of vulnerability is due in part to the misuse of $_request class variables by programmers, some sensitive operation is to require the user from the form submission to initiate a POST request to the program, but because of the use of variables such as $_request, the program also receives the GET request, This creates a condition for an attacker to use a csrf attack, in which the attacker simply places the expected request parameters in a link to a post or message in the station, and the victim browses to such a page and is forced to initiate the request.
CSRF station outside the type of vulnerability is in fact the traditional meaning of the external submission of data problems, the general programmer will consider some comments and other forms of comment watermark to prevent spam problems, but for the user's experience, some operations may not have any restrictions, so the attacker can first predict the parameters of the request, In the Web page outside the station to write JavaScript script forgery file request or auto-submitted form to implement get, post requests, the user in the session state click the link to access the Web page outside the station, the client is forced to initiate the request.
If, you crossing want to learn more about CSRF Google it!
Here is just a few simple XSS principles, calculate a point, you can talk about, how to play the maximum ability of XSS
On the principle of XSS
