XSS and csrf intrusion methods summary get and post in the site and get and post outside the site

Generally, after an XSS vulnerability is discovered, you need to perform the following operations: 1. Use $ _ request or $ _ get for forged requests First, we need to find Program Can I find the source code on the Internet? If I can find the source code, I will analyze the background administrator's password change or add the Administrator's page. Then I will analyze whether the Administrator uses the $ _ Request receiving parameter, if yes, we use this XSS vulnerability to construct a request. For example, you can use HTML Code Then we embed an IMG element: when the Administrator logs on to the management background and sees a page containing IMG, a request to add a background administrator is forged, the request is sent by the Administrator, so a new Administrator is successfully added. For a visual text editor, try using the input: http://www.123.com/xxx.jpg "onLoad =" window. Open ('/admin/admin_add.asp? Name = xxx & PSD = YYY '). Then, the following code is constructed: In short, we need to draw a line between them. 2. Use $ _ post for forged requests The $ _ POST method is used when the background receives the variable for adding an administrator or changing the management password. The first method is invalid, depending on the situation. If no <SCRIPT> is filtered, we can use ajax to forge requests, such: < SC /* XSS */ Ript >
VaR AJ =   New Activexobject ( " Msxml2.xmlhttp. 3.0 " );
AJ. Open ( " Post " , " /Admin/admin_add.asp " , False );
VaR Postdata =   ' Name = xxx & PSD = yyy ' ;
AJ. setRequestHeader ( " Content-Type " , " Application/X-WWW-form-urlencoded " );
AJ. Send (postdata );
< / SCR / * XSS * / IPT> /* XSS */is an HTML annotation used to bypass Simple filtering of script code blocks. 3. Use $ _ Get or $ _ Request for Cross-Site forgery requests Similar to the first request forgery method, the first request forgery method exploits the XSS vulnerability in the site. Cross-Site forgery is initiated outside the site, for example, I put such an image on the homepage of my blog then I ran to dvbbs to post and" seduce "the administrator of the mobile network forum to my blog. If the administrator of the mobile network forum has logged on to his management background, then, use the browser of the sharing process (currently, myie, Maxton, and Firefox Based on the IE kernel are all shared processes) to access my blog. Then, his background will be added to a user. 4. Use $ _ post (0 day) for Cross-Site forgery requests) If the management backend of the intrusion target uses the $ _ POST method to accept variables, we cannot submit data in the Cross-Site method of Ajax post on our website, because Ajax cannot cross-origin. However, we can put a form on our website and fill in the data. The form action is a vulnerable page to be exploited. When someone opens this page, we use js to control the form for submit. Although Ajax cannot cross-origin, it is always possible to submit the form to an address outside the domain. In short, the chances of success in method 3 and 4 are lower, because we need to find a way for the administrator who has logged on to the background to access the page of our forged request using the browser that shares the session, A little technical skill in social engineering.