Finally understand the difference between DOM XSS and reflection XSS

 Zero basic hacker , Search official account ： White hat left 

author ：lryfish

Original address ：https://www.freebuf.com/articles/web/318982.html

Preface

xss The principle of vulnerability is actually very simple , Types are also divided into three categories , reflective 、 Storage and dom type .

But just touched xss I don't understand what is dom type xss, Cannot distinguish between reflective and dom type , I seldom meet , Now through this article, we can give Xiaobai a better understanding xss Loophole , This article also consolidates my understanding of xss The understanding of the .

DOM Contrast diagram of type and reflection type

Two simple pictures help you compare the similarities and differences

reflective xss analysis

First of all, I would like to briefly introduce xss The most common type ： reflective

adopt pikachu Range to do simple demonstration analysis

You can see that the data we entered is passed through html The page echoes , This means that we can try to construct closure to inject the code we want

Check the web source code , In this position （20 This field shows the length of the input data , Just change it ）

Insert this code to test xss Loophole ：, Pop up window

Analyze the code

$html='';
if(isset($_GET['submit'])){
    
    if(empty($_GET['message'])){
    
        $html.="<p class='notice'> Input 'kobe' try -_-</p>";
    }else{
    
        if($_GET['message']=='kobe'){
    
            $html.="<p class='notice'> May you and {$_GET['message']} equally , Forever young , Always blood boiling ！</p><img src='{$PIKA_ROOT_DIR}assets/images/nbaplayer/kobe.png' />";
        }else{
    
            $html.="<p class='notice'>who is {$_GET['message']},i don't care!</p>";
        }
    }
}

First, through GET receive message String to back end , And then to $html This variable

<

div id="xssr_main">
    <p class="xssr_title">Which NBA player do you like?</p>
    <form method="get">
        <input class="xssr_in" type="text" maxlength="20" name="message" />
        <input class="xssr_submit" type="submit" name="submit" value="submit" />
    </form>
    <?php echo $html;?>
</div>

Then output to the front-end page through this variable , Then the code just entered will be executed on the page , The final web page code is changed through the server logic

DOM type xss analysis

DOM type xss And others xss The biggest difference is that it does not go through the server , Just through the web page itself JavaScript For rendering triggers

Let's take a look at a typical DOM type xss Example , Copy the following sentence to Youdao dictionary for translation , I believe you will soon understand

This is a test about xss

online translation _ youdao (https://fanyi.youdao.com/)

Look at this sentence in html Position in

In this case xss Statements are simply parsed at the front end , Without going through the back end , Security vulnerability of the front end itself .

pikachu shooting range
Re pass pikachu Range to learn more about DOM type xss

This is the front-end interface

This is the source code , Next, analyze the source code

<div id="xssd_main">
    <script>
        function domxss(){
    
            var str = document.getElementById("text").value;
            document.getElementById("dom").innerHTML = "<a href='"+str+"'>what do you see?</a>";
        }
    </script>

    <input id="text" name="text" type="text"  value="" />
    <input id="button" type="button" value="click me!" onclick="domxss()" />
    <div id="dom"></div>
</div>

We go through <input id=“text” name=“text” type=“text” value="" / > Assign a string to text

then JavaScript var str = document.getElementById(“text”).value; Got it text Value

then document.getElementById(“dom”).innerHTML = “< a href=’”+str+"’>what do you see?< /a > "; Put this text String integration into a In this label href I'll do it again a Labels are written to dom In this label .

Last < div id=“dom” >< /div > Execute this dom label

When the input 123 The source code shows this

But when you enter ：#'οnclick=“alert(‘1_Ry’)”> when

Keep clicking and playing , Use at the same time burpsuite If you grab a bag, you can't catch anything , Because there is no interaction with the server , Just through the front end js Rendering to change the final web page code

DOM type & reflective XSS Exploit scenarios

There is no difference between the two attacks , All of them are sent by e-mail and other means, including our structure payload Of URL To target users , When the target user can access the link , The server receives the request from the target user and processes it

And then the server puts it with XSS The data of the code is sent to the browser of the target user , The browser parses this section with XSS After the malicious script of the code , It will trigger XSS Loophole , Generally used to get the other party cookies value

xss Defense methods

Filtering input data , Include ‘ 、“、<、>、on* Illegal characters such as

Encode and convert the data output to the page , Include HTML Entity encoding 、 Properties and URL Request parameters

Set up cookie Of HttpOnly attribute