Note * XSS attack is Cross Site scripting, usually in the URL of Web page link to inject JS code to achieve the attack means, many manufacturers are in the game, such as: Twitter, Sina Weibo, sample code: http://www.demo.cn/=< Script>alert (Document.cookie) </script> In fact, this code does not execute on all browsers, but only a subset of browsers (such as IE6) are available to achieve the attack effect. At present, many Web sites have the ability to automatically filter XSS code, this article introduces some how to screen XSS filter means, in fact, we can find that most of the implementation of XSS filtering is not safe, which for us in the prevention of XSS attacks have a certain reference significance.
Introduction
I like to use JavaScript in an unexpected way, writing code that looks strange but really works, and it can often perform some unexpected functions. This may sound trivial, but based on this finding is sufficient to summarize some of the most useful programming techniques. Each of the tips below can block out XSS filters, which is why I write the code. However, learning such JavaScript code can significantly enhance your mastery of the language itself, help you better handle input, and improve the security of your Web application.
Here's a look at these amazing JavaScript code!
Regular Expressions Replace executable code
When you use a regular expression with replace, the second parameter supports the function assignment. In opera, this parameter can be used to execute code. For example, the following code fragment:
' XSS '. Replace (/xss/g,alert)
The result of this execution will be equivalent to: alert (' XSS '); The reason for this behavior is that a regular expression match is taken as a parameter and passed to the alert function. In general, you would use a function to invoke another piece of code on the matching text, like this:
' somestring '. Replace (/some/,function ($) { //do something with some})
But, as you can see in the first example, we performed a local alert call, not a user-defined function, and the parameter was passed to the local call by a regular expression. It's a cool trick to block out some XSS filters. For example, first write a string, then a "point", and then you can call any function you want to call.
To see how this is used in an XSS environment, imagine that we have an unfiltered attack code in the string, either a JavaScript event or a script tag, where an injection occurs in the string. First, we inject a valid function alert (1), then we break the limit of the quotation mark and then write our regular expression.
. replace (/.+/,eval)//
Notice that I use the Eval function here to execute any code I want to execute, and in order for the attack code to pass to eval, the regular expression must match all the items.
If I put all the code together and show the output of the page, it would be easier to understand the process:
Page output:
<script>somevariableunfiltered= "YOUR INPUT" </script>
The above code is common in parsing scripts, and all the strings you search for online are stored in this analysis script by some ad companies. You may not have noticed these scripts, but if you look at the source of a Web page, you'll find that it's always there. In addition, the forum is a place where these scripts are often used. "YOUR INPUT" is the string you control. This will also be referred to as DOM based XSS injection if the input is not filtered correctly. (Note: DOM, which expresses an HTML document as a tree structure, usually an HTML structure)
Input:
Alert (1) ". Replace (/.+/,eval)//
Output results:
<script>somevariableunfiltered= "alert (1)". Replace (/.+/,eval)//"</script>
Note that here "//" is used to clear the Single-line comment that is referenced later.
Unicode Escape
Although it is not possible to use parentheses when escape Unicode characters, we can escape the name of the function that is being invoked. For example:
u0061u006cu0065u0072u0074 (1)
This code calls alert (1); U indicates that this is an escape character, and the hexadecimal number following the u0061 is "a".
In addition, regular characters can be mixed or matched with escape characters, as shown in the following example:
U0061lert (1)
You can also include them in strings, and even evaluate them with eval. Unicode escapes are somewhat different from regular 16-or 8-bit escapes, because Unicode escapes can be contained in a string, or in a reference function, variable, or object.
The following example shows how to use a Unicode escape that is evaluated and divided into two parts.
eval (' u ' + ' 0061 ' + ' Lert (1) ')
By avoiding regular functions like named Alert, we can fool the XSS filter into our code. This example is used to circumvent phpids (an open source IDs system), which ultimately leads to more robust rules. If you need to decode JavaScript in order to analyze possible malicious code, you need to consider filtering as many encoding methods as possible. As you can see in this example, this is not an easy job.
JavaScript parser engine
JavaScript is a very dynamic language. Can execute a lot of code. The code doesn't seem to be performing at first glance, but once you understand how the parser works, you can gradually understand the logic behind it.
JavaScript does not know the result of a function until the function is executed, and it is clear that it must return the type of the variable by calling the function. This is interesting, for example: if the return function cannot return a valid value for a code block, a syntax error occurs after the function executes.
What do you mean by that? All right! The code is more persuasive than empty talk, look at the following example:
+alert (1)--
When the alert function executes, it returns an undefined amount, but it is already too late, and the syntax error appears immediately because the operand of the decrement operator should be a number.
Here are some examples that do not produce errors:
+alert (1) 1/alert (1) alert (1) >>>/abc/
You might think the above example has no meaning, but in fact they are a deep reflection of JavaScript's working process. Once you understand these details, JavaScript is a big thing that becomes clear and understanding how the code executes can help you understand how the parser works. I think this kind of example is tracking syntax errors, detecting DOM-based XSS
Useful when attacking and detecting XSS filters.
Throw,delete, what else is there?
You can do the deletion in unexpected ways, which produces some very odd syntax. Let's see what happens when you combine the throw, delete, not, and typeof operators.
Throwdelete~typeof~alert (1)
You may not think this code will work, but using the function call Delete is OK and can still be executed:
DeleteAlert (1)
Here are some more examples:
Delete~[a=alert]/deletea (1) delete[a=alert],deletea (1)
At first glance, you'll think that the code has syntax errors, but when you analyze it, you think there's a point. The parser first discovers a variable assignment within an array, and then deletes the array after performing an assignment operation. Similarly, the delete operation is after a function (note * [A=alert]) is invoked, because the delete operation needs to know the result of the function execution in order to delete the returned object, even if it returns NULL.
At the same time, the code can be used to block XSS filters because they often try to match valid syntax and do not want the code to be too obscure. When your application is validating data, you should consider such an example.
Declaring global objects
In a particular instance of masking XSS filters, the attack code is often hidden in a variable similar to the English text. Smart systems such as phpids can use syntax analysis to compare the judgment of access requests for malicious attacks, so this is a useful way to test these systems.
When you use only global objects or functions, you can produce blocks of code similar to English. In fact, on the Sla.ckers Security Forum, we can play a little game and produce English-like sentences in JavaScript form. To understand what this is all about, take a look at the following example:
Stop, open, Print && alert (1)
I made up my own name, called Javascriptlish, because it could produce some seemingly incredible code:
javascript:/is/^{A: ' Weird '}[' & Wonderful ']/' language ' the_fun: [' Never '] + stop[' s ']
We use the regular expression/is/to keep up with an operator ^, and then create an object {A: ' weird '} (with a property and assignment weird). In the object we just created, look for the ' & Wonderful ' attribute, which is then separated by a string of characters.
Next we use an identifier named The_fun and an array with never, and a global function named Stop checks s ... attributes, all of which are the correct syntax.
Getters/setters function
When Firefox adds custom syntax for setters, it masks some interesting xss injections that don't use parentheses. Opera does not support custom syntax---it's a good thing from a security standpoint, but it's bad news for JavaScript hackers. Opera, however, supports the standard definesetter syntax. This allows us to assign values to the purpose of calling the function, which is also useful for masking XSS filters.
Definesetter (' x ', alert); x=1;
If you don't know setters/getters, the example above is creating a set value function for global variable x. A set-valued function is invoked when a variable is set. The second parameter alert is a function call assignment. Thus, when X is assigned to 1 o'clock, the alert function is invoked and 1 is taken as an argument.
Location Allow URL encoding
The Location object allows the URL to be encoded in JavaScript. This allows you to further disguise XSS injection through double coding.
location= ' Javascript:%61%6c%65%72%74%28%31%29 '
Combining them with the escape character is a good way to hide strings.
Location= ' javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%
5c%75%30%30%37%32%5c%75%30%30 %37%34 (1) '
The first example is feasible, because opera's address bar can identify encoded address strings. By using URL encoding, you can hide JavaScript code. This is useful, especially when passing XSS attack code, and we can do a double URL code to further screen the filter.
The second example combines the technique of the first example with an escape character. So, when you decode a string, it causes the alert function to appear in this form:
u0061u006cu0065u0072u0074
The ASCII encoding of note * A is 0x61