XSS----Cross Site Script; XSS attacks, usually referred to as hackers through "HTML injection" tampered with the Web page, inserted a malicious script, so that when users browse the Web page, control the user browser an attack. 1, XSS according to the effect of three categories: 1) Reflective XSS (non-persistent XSS): The user input data is simply "reflected" to the browser. Hackers often need to induce users to click on a malicious link in order to attack success. 2) Storage-type XSS (persistent XSS): The storage type stores the data entered by the user on the server side. This has a strong stability. 3) Dom Based XSS: XSS formed by modifying the page's DOM. &NBSP;2, XSS attacks XSS Payload---Malicious scripts to complete a variety of specific functions. 1) most commonly: a "cookie" hijacking attack is initiated by reading the browser's Cookie object. 2) manipulate the user's browser by simulating get\post requests. 3) XSS fishing eg: Simulate login box get username, password. 4) identify user browser alter (navigator.useragent); 5) identify user-installed software & nbsp eg: in IE, it is possible to speculate whether the user has installed the software by judging whether the classid of the ActiveX control exists. try{ var obj=new ActiveXObject (' X Unleibho.thunderiehelper '); }catch (e) { //Exceptions do not exist } 6) Get the real IP address of the user eg: there is an API to get the local IP address in the XSS attack framework "Attack API". &NBSP;&NBSP;3, XSS attack platform attack api be ef xss-proxy 4, XSS worm (XSS worm) samy worm 5, Debug javascript Firebug Fiddler httpwatch 6, XSS construction tips 1) bypass length limits using character encoding: 2) eg: load XSS with onclick events payload & nbsp location.hash-----used to identify the location, a readable and writable string that is the anchor part of the URL, starting with the # number. using comments 3) using <base> tags &NBS P <base>----Define all hosting addresses on the page that use the relative path label. Anywhere on the page can be placed for all tags behind it eg: <base href= "http://w Ww.baidu.com "/> <script src= "X.js" ></script> 4) window.name--- You can set or return a string that holds the name of the window. Data can be passed across domains and across pages. 7, XSS defense 1) HttpOnly: Browser prevents JavaScript on page from accessing cookies with HttpOnly attribute------------------can prevent cookie hijacking 2) input check: Server side to filter special, sensitive characters. 3) output check: Using encoding or escaping eg:HtmlEncode\JavascriptEncode Use strict urlencode 4 in Protocal and host to process Rich text Filter Rich Text Event should be strictly forbidden use whitelist to prohibit some dangerous tags, only keep more secure label exists Use whitelist filter properties, events Minimize user-definable CSS \style 5) Defense Dom Based xss &N Bsp When the "$var" output to <script>, you should perform a javascriptencode; When the document.write output to the HTML page, the specific situation: if the output to a method or script, you need to do a javascriptencode, if the output to an HTML page or property, you want to do a htmlencode. JavaScriptTo html: document.write (); Document.writeln (); &N Bsp xxx.innerhtml (); xxx.outerhtml (); innerhtml.replace; document.attachevent (); window.at Tachevent (); document.location.replace (); Document.location.assign (); JavaScript output: All inputs boxes on the page; window.location (Href\hash, etc.) window.name document.referrer (returns the URL of the source document loaded into the current document. ) document.cookie localstorage &NB Sp XMLHttpRequest returned data
White hat Talk Web security chapter III cross-site scripting attacks (XSS)
