XSS basic notes from practical guide to Web security attack and defense penetration test

XSS vulnerability introduction

Cross Site Scripting (XSS or Cross Site Scripting or Cross Site Scripting attack for short) is a security vulnerability attack technology for website applications and a kind of code injection. It allows malicious users to inject code into the web page, and other users will be affected when browsing the web page. After a malicious user successfully attacks with XSS code, it may have high permissions (such as performing some operations), private web page content, sessions, cookie s and other contents.
XSS attacks can be divided into three types: reflection type, storage type and DOM type.

XSS vulnerability principle

Reflective XSS

Reflective XSS, also known as non persistent XSS, is often a one-time attack.
Attack method: the attacker sends a malicious link containing XSS code to the target user through e-mail. When the target user accesses the link, the server receives and processes the request of the target user, and then the server sends the data with XSS code to the target user's browser. After the browser parses the malicious script with XSS code, it will trigger XSS vulnerability.

Storage XSS

Storage XSS is also called persistent XSS. The attack script will be permanently stored in the database or file of the target server, which has high concealment.
Attack method: this attack is more common in forums, blogs and message boards. In the process of posting, the attacker injects the malicious script and normal information into the content of the post. As posts are stored by the server, malicious scripts are permanently stored in the back-end memory of the server. When other users browse the post injected with malicious script, the malicious script will be executed in their browser.
For example, a malicious attacker adds the following code to the message board.
<script> alert (/hacker by hacker/) </script>
When other users visit the message board, they will see a pop-up window. It can be seen that the attack mode of storage XSS can permanently embed malicious code into a page, and all users accessing this page will become victims. If we can be cautious about unknown links, reflective XSS attack will not do much, while storage XSS is different. Because it is injected into some pages we trust, no matter how careful we are, it will inevitably be attacked.

DOM type XSS

The full name of DOM is Document Object Model. Using DOM can enable programs and scripts to dynamically access and update the content, structure and style of documents. DOM XSS is actually a special type of reflective XSS, which is a vulnerability based on DOM Document Object Model.
HTML tags are nodes, and these nodes constitute the overall structure of DOM, a node tree. Through HTML DOM, all nodes in the tree can be accessed through JavaScript. All HTML elements (nodes) can be modified, or nodes can be created or deleted. The HTML DOM tree structure is shown in the figure.

There are many elements in the website page. When the page reaches the browser, the browser will create a top-level Document object document object for the page, and then generate each sub Document object. Each page element corresponds to a Document object, and each Document object contains attributes, methods and events. You can edit the Document object through JS script to modify the elements of the page. In other words, the script program of the client can dynamically modify the page content through the DOM, obtain the data in the DOM from the client and execute it locally. Because DOM modifies nodes on the client side, the XSS vulnerability based on DOM does not need to interact with the server side. It only occurs in the stage of data processing on the client side.
Attack method: the user requests a specially designed URL, which is submitted by the attacker and contains XSS code. The server's response will not contain the attacker's script in any form. When the user's browser processes this response, the DOM object will process XSS code, resulting in XSS vulnerability.

Reflective XSS attack

In reflective XSS PHP code, GET the parameter xss_input_value, and then output an input tag through echo, and XSS_ input_ The value of value is placed in the value of the input tag. When accessing xss_input_value="> When, the HTML code output to the page becomes ">, this HTML code has two tags, tag and tag, and the function of the tag is to make the browser pop-up display" / xss / ". The code is as follows.

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
	<title>XSS Use the output environment to construct the code</title>
</head>
<body>
	<center>
	<h6>Output the string we entered to input Inside value Attribute inside</h6>
	<form action="" method="get">
		<h6>Please enter the string you want to display</h6>
		<input type="text" name="xss_input_value" value="input"><br />
		<input type="submit">
	</form>
	<hr>
	<?php
		if (isset($_GET['xss_input_value'])) {
			echo '<input type="text" value="'.$_GET['xss_input_value'].'">';
		}else{
			echo '<input type="text" value="output">';
		}
	?>
	</center>
</body>
</html>

page http://192.168.1.100/xss1/xss1.php The function is to input the content in the "input" form, click the "submit" button, and put the input content into the "output" form. For example, when "11" is input and the "submit" button is clicked, the "11" will be output to the "output" form, and the effect is shown in the figure.

When visiting http://192.168.1.100/xss1/xss1.php?xss_ When input value = "> < img SRC = 1 oneror = alert (/ XSS /) / >, the HTML code output to the page becomes < img SRC = 1 oneror = alert (/ XSS /) / >" >. You can see that the double quotation marks of the value attribute are closed by the input double quotation marks, and the > is closed by the < < of the input tag, resu lt ing in the input < img SRC = 1 oneror = alert (/ XSS /) / > becoming an HTML tag.
Next, when rendering the browser, execute < img SRC = 1 oneror = alert (/ xss /) / >. JS function alert() causes the browser to pop up and display "/ xss /", as shown in the following figure.

Storage XSS attack

In the PHP code of stored XSS, get the POST parameter title and parameter content, and then insert the parameters into the database table XSS. Then query the data in the table XSS through select query and display it on the page. The code is as follows.

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
	<title>Message Board</title>
</head>
<body>
	<center>
	<h6>Enter message content</h6>
	<form action="" method="post">
		title:<input type="text" name="title"><br />
		Content:<textarea name="content"></textarea><br />
		<input type="submit">
	</form>
	<hr>
	<?php

		$con=mysqli_connect("localhost","root","root","test");
		if (mysqli_connect_errno())
		{
			echo "connection failed: " . mysqli_connect_error();
		}
		if (isset($_POST['title'])) {
			$result1 = mysqli_query($con,"insert into xss(`title`, `content`) VALUES ('".$_POST['title']."','".$_POST['content']."')");
		}

		$result2 = mysqli_query($con,"select * from xss");

		echo "<table border='1'><tr><td>title</td><td>content</td></tr>";
		while($row = mysqli_fetch_array($result2))
		{
			echo "<tr><td>".$row['title'] . "</td><td>" . $row['content']."</td>";
		}
		echo "</table>";
	?>
	</center>
</body>
</html>

The function of the stored XSS page is to obtain the message information, title and content entered by the user, then insert the title and content into the database, and output the message information of the database to the page. When the user writes in the titleWhen, the data in the database is as follows.

When the title is output to the page, the page executes < img SRC = 1 oneror = alert (/ XSS /) / >, resulting in a pop-up window.

At this time, the xss here is persistent, that is, when anyone accesses the URL, a box displaying "/ xss /" will pop up.

DOM type XSS attack

The function of DOM XSS attack page is to enter information in the "input" box. When you click the "replace" button, the page will replace "the input content will be displayed here" with the input information. For example, when you enter "11", the page will replace "the input content will be displayed here" with "11".

<html>
<head>
	<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
	<title>Test</title>
	<script type="text/javascript">
		function tihuan(){
			document.getElementById("id1").innerHTML = document.getElementById("dom_input").value;
		}
	</script>
</head>
<body>
	<center>
	<h6 id="id1">The input will be displayed here</h6>
	<form action="" method="post">
		<input type="text" id="dom_input" value="input"><br />
		<input type="button" value="replace" onclick="tihuan()">
	</form>
	<hr>
	
	</center>
</body>
</html>

When you click the replace button, the tihuan () function of JavaScript will be executed. The tihuan () function is a DOM operation. Get the node with ID id1 through document getElementByld, and then modify the content of node id1 to dom_ The value in input, that is, the value entered by the user. When inputWhen you click Replace, a message box pops up on the page, but because it is implicitly output, you can't see the output XSS code when viewing the source code.

Posted by updwebmaster on Mon, 16 May 2022 13:09:23 +0300