preface
In the previous chapters (Web Security Series I: XSS Attack Basics and Principles) and (Web Security Series II: In XSS attack Progression (preliminary XSS Payload), I introduced the principle of XSS formation and classification of XSS attacks in detail, and wrote a small kernel to show the harm of XSS Payload.
Currently, VULNERABILITY types of XSS are mainly divided into three types: reflection type, storage type and DOM type. In this paper, permeate ecological testing system will be taken as an example to analyze website functions, guide attack thinking and help readers to quickly identify possible vulnerabilities of websites.
Reflective XSS mining
Now the author needs to do manual XSS vulnerability mining. Before manual mining, the author needs to browse the function points of the website. The interface of permeate is shown below
Thought analysis
We know that reflective XSS is mostly spread by URL, so I need to think about where the parameters of URL address will be displayed in the page. I believe that the first instinct in most readers’ minds is the search bar, especially in the site search of some large websites, the search keywords will be displayed in the current page. For example, a search engine:
XSS Payload
When we click on the search button, the URL should automatically change to http://localhost:8888/home/search.php? keywords=
The operation process
We try:
Enter the search content first
Research
Google Chrome blocks this event and the Payload is not triggered. The XSS filter is a feature of the Chrome kernel that blocks reflective XSS. So try not to test with Chrome, let’s continue testing with Firefox:
And sure enough, it triggered our Payload.
Results analysis
The Payload is triggered, so we’ve found a reflective XSS vulnerability. Of course, this vulnerability is very basic. Most websites are filtered, and as browsers get more powerful and their XSS filters get smarter, this vulnerability will become more and more rare. I’ll test mining for the more common stored XSS and show you how to get around it.
Storage XSS mining
Thought analysis
The attack code of stored XSS is stored on the server side, so we need to find the function of data storage to the back end of the website. We have some understanding of this website, and we find that permeate has the function of Posting and reply, which is the communication channel between the Web side and the background side. All the post information will be stored on the server side. With this information, we can enter the plate and post:
Enter the Posting interface:
Detecting vulnerability
Payload: 123
We publish:
Payload Payload Payload Payload Payload Payload Payload Payload Payload
If we go inside the post, we’ll find the following scene:
Payload in the body of the article is obviously not implemented.
caught
The Payload can be a header, but the Payload can’t be a body. Let’s open the console and go to Network.
We can see that the corresponding content has been escaped. There are two types of escape, front-end escape and back-end escape. If it is back-end escape, we usually don’t need to test it because we don’t know the internal code of the server.
So how do you do that?
So let’s copy the URL
curl 'http://localhost:8888/home/_fatie.php? bk=5&zt=0' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Origin: http://localhost:8888' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: Application/X-www-form-urlencoded '-h' user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36' -h 'Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp image/apng, * / *; Q = 0.8 '-h' Referer: http://localhost:8888/home/fatie.php? bk=5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: zh-CN,zh; Q = 0.9, en. Q = 0.8 '-h' cookies: PHPSESSID=7690435026da386df8a80e63f3da2089' --data 'csrf_token=9191&bk=5&title=123%3Cscript%3Econsole.log%28232%29%3C%2Fscript%3E&content=%3Cp%3E123%26lt%3Bscript%26gt%3Bc onsole.log%28232%29%26lt%3B%2Fscript%26gt%3B%3C%2Fp%3E' --compressed
Find title and content and replace the content of content with the content of title:
curl 'http://localhost:8888/home/_fatie.php? bk=5&zt=0' -H 'Connection: keep-alive' -H 'Cache-Control: max-age=0' -H 'Origin: http://localhost:8888' -H 'Upgrade-Insecure-Requests: 1' -H 'Content-Type: Application/X-www-form-urlencoded '-h' user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36' -h 'Accept: text/html,application/xhtml+xml,application/xml; Q = 0.9, image/webp image/apng, * / *; Q = 0.8 '-h' Referer: http://localhost:8888/home/fatie.php? bk=5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: zh-CN,zh; Q = 0.9, en. Q = 0.8 '-h' cookies: PHPSESSID=7690435026da386df8a80e63f3da2089' --data 'csrf_token=9191&bk=5&title=123%3Cscript%3Econsole.log%28232%29%3C%2Fscript%3E&content=123%3Cscript%3Econsole.log%28232% 29%3C%2Fscript%3E' --compressed
After the replacement is complete, copy this content to the terminal for running:
Check out the main page:
Payload is executed twice, and the content is attacked.
Results analysis
This shows that we have successfully bypassed the front-end XSS filter and modified the content directly, so it is sometimes necessary to escape on the back end.
conclusion
Digging holes is a complex process, can yet be regarded as a reliable way of manual mining, but inefficient manual mining, sometimes is lucky, at present there have been many automatic detection XSS holes tools and platform, greatly improve the efficiency of the found vulnerability, later in the chapter I will introduce some tools and how to defense XSS.
Finally, I am sorry to promote the component library I wrote based on the Taro framework: MP-Colorui.
I will be very happy if I can star easily. Thank you.
Click here for documentation
Click here to get the GitHUb address