1. The origin of
XSS attack
I remember reading an article that described XSS in this way: "if the browser is regarded as the operating system of the post Web2.0 era, then the client-side script is equivalent to the traditional application program, and the XSS attack mode is actually equivalent to executing a Trojan horse program on the attacker's system. But this kind of "Trojan horse" has a great disadvantage, that is, it can't settle down in the operating system like the traditional Trojan horse, and it can be executed automatically in the future
This may be the best interpretation of XSS, but what is XSS? Let's have a look at the mysterious face of Xiaocai.
XSS is also called CSS (cross site script), cross site scripting attack. It refers to the malicious attacker inserting malicious HTML code into the web page. When the user browses the page, the HTML code embedded in the web will be executed, so as to achieve the special purpose of malicious attack on users.
Why does XSS come into being? There is nothing to say. It must be that the filtering is not strict, or the program ape thinks that XSS has no practical use, thus ignoring the generation of XSS attacks. For example, in a search box, if the input data is not filtered at all, then we submit the following statement
<script>alert(’test’)</script>
What is the result? We should all know that a dialog box pops up on the page.
I remember when I first became interested in hacking, yes, XSS was just entertainment.
2. Types of
XSS
There are three types of XSS
First: reflective XSS
This XSS, cross site code generally exists in a link. When an attacker accesses such a connection, the cross site code is executed, and this kind of cross site code is not stored on the server
The second: storage XSS
This kind of XSS is more convenient to use. The cross site code will be stored in the database on the server. In other words, it can be used to attack persistently, also known as persistent XSS
The third is XSS based on DOM
This is a security problem caused by incorrect parsing of client script itself
3. Attack principle of reflective
XSS
Reflective XSS is the most commonly used and widely used way. When the URL address is opened, the specific malicious code parameters are parsed and executed by HTML. It is characterized by non persistence, which can only be caused by the user clicking on the link with specific parameters.
Since it is a cross site that needs users to click to trigger, it will test your level of deception. Just like the XSS attack in the forum some time ago, it is a reflective XSS attack triggered by transferring money and then being viewed by the attacker
Another example is:
http://searchb.dangdang.com/?key=f ’,true,1);alert(1);//
This is a typical reflective XSS, which needs to induce users to click the link. XSS code is not stored in the server. So the attack doesn't last.
Common test methods:
For the entire input (especially, the entire HTTP request is input, and the data from the database is also input. HTTP requests include get, post parameters, cookie, URL, header reference, and so on,
1) Construct a unique string by yourself, for example: myxsstestxxx
2) Replace an input (such as a parameter) with the string above
3) Check whether there is this string in the HTTP response and record it
4) Depending on the HTML context, decide which type of string to try with, try to attack the string, and then re submit the request
5) If the corresponding attack string can be found, it indicates that the vulnerability exists. The key here is step 4, because the server may make some restrictions, such as encode or length limit. During the test, we need to find out whether the limitation can be bypassed.
4. Attack principle of storage XSS
Storage type means that the attack script is stored in the database or file, and the server side (possibly other applications or other pages) will display after reading the stored content, which is called storage type. In this case, the user may directly open the normal page and see that it has been injected
The principle is also very simple
XSS code is submitted to the website – > the website stores the XSS code into the database - > when the page is requested again, the server sends the data that has been embedded in the XSS code to the client - > the client executes the XSS code
The more common example is to insert XSS code on the message board, the premise of course is that the message content is not filtered well
I want to add to the content: [/ code] < script > alert ("test ') < / script > [/ code]
This will pop up a dialog box, of course, as long as you can add content, you can try XSS, for example, QQ space, there is a custom module, you can select pictures, and then add the following code
J avascript:alert ('XSS')"
Of course, the premise that it can be executed is that the server-side code is written like this
A=get[a]
<img src=$a>
There are many ways to use it, such as the emerging XSS platform. If you create a new project, you can do a lot of things
5. XSS BASED DOM
DOM based XSS vulnerability is a vulnerability based on document object model (DOM). DOM is a platform and programming language independent interface. It allows programs or scripts to dynamically access and update the content, structure and style of documents. The processed results can become a part of the display page. There are many objects in DOM, some of which can be manipulated by users, such as URI, location, refelter, etc. The script program on the client side can dynamically check and modify the content of the page through dom. It does not rely on submitting data to the server, but gets the data in the DOM from the client and executes it locally. If the data in the DOM is not strictly confirmed, there will be a DOM based XSS leak.
DOM based XSS attack originates from DOM related properties and methods, and is inserted into the script for XSS attack. A typical example is as follows:
HTTP request http: / / www Xss.com/hello . HTML? Name = test use the following script to print the name of the login user test
<SCRIPT>
var pos=docmnent.URL.indexOf(”name=”)+5;
document.write (document.URL.substring(pos,document.URL.1ength));
< /SCRIPT>
If this script is used to request http: / / www Xss.com/hello When. HTML? Name = < script > alert ("test ') < / script >, the
This leads to XSS attacks.
When the user clicks this link, the server returns the HTML static text containing the script above. The user browser parses the HTML text into dom. The value of the URL attribute of the document object in the DOM is the URL of the current page. When the script is parsed, a part of the URL attribute value is written into HTML text, but this part of HTML text is JavaScript script, which makes < script > alert ("test ') < / script > become the HTML text finally displayed on the page, which leads to DOM base XSS attack.
6. Preventive measures for XSS
The principles of various XSS and the simplest ways to use them are briefly described above. Of course, some advanced XSS utilization techniques will not be involved here. It is better to teach people to fish than to teach people to fish. It's up to you to figure it out. Let's briefly talk about XSS prevention.
Why is XSS so popular now. I think we should all know that there is no strict filtering in the input, and no checking, escaping, replacement and so on when outputting
Therefore, the prevention method is not to trust any user's input, strictly check and filter the input of each user, and escape and replace some special characters when outputting
