preface

The principle of XSS vulnerability is actually very simple and can be divided into three types: reflection type, storage type and DOM type. However, when I first came into contact with XSS, I didn’t understand what DOM TYPE XSS was at all, and I couldn’t distinguish between reflective type and DOM type, and I rarely met them. Now, through this article, I can better understand XSS vulnerabilities for the new pits, and also through this article, I can consolidate my understanding of XSS. If there is any incorrect place, please correct it.

Contrast of DOM type and reflection type

Two simple graphs to help you compare the differences

Reflective XSS analysis

First, a brief introduction to the most common type of XSS: reflection

Do a simple demonstration analysis through the Pikachu Range

You can see that the data we entered is echoed through the HTML page, which means we can try to construct closure to inject the code we want

Check the source code of the web page and put it in this position (20 indicates the length of the input data, just change it).

Insert this code to test XSS vulnerability: pop-ups appear

Analyze the code

$html=''; If (isset ($_GET [' submit '])) {if (empty ($_GET [' message '])) {$HTML. = "< p class = 'notice' > try input 'kobe' -_ - < / p >"; } else {the if ($_GET [' message '] = = 'kobe') {$HTML. = "< p class = 'notice' > wishing you and {$_GET [' message ']}, forever young, forever have a boiling passion! </p><img src='{$PIKA_ROOT_DIR}assets/images/nbaplayer/kobe.png' />"; }else{ $html.="<p class='notice'>who is {$_GET['message']},i don't care! </p>"; }}}Copy the code

The message string is first received to the back end via GET and then passed to the $HTML variable

<div id="xssr_main"> <p class="xssr_title">Which NBA player do you like? </p> <form method="get"> <input class="xssr_in" type="text" maxlength="20" name="message" /> <input class="xssr_submit" type="submit" name="submit" value="submit" /> </form> <? php echo $html; ? > </div>Copy the code

This variable is then output to the front-end page, and the code just entered is executed on the page, changing the final page code through server-side logic

2021 full set of network security information package and the latest interview questions (penetration tools, environment building, HTML, PHP, MySQL basic learning, information collection, SQL injection,XSS, CSRF, brute force cracking, etc.)

DOM type XSS analysis

The biggest difference between DOM XSS and other XSS is that it does not go through the server, but is only triggered by the JavaScript rendering of the web page itself

Let’s take a look at a typical DOM XSS example, copy the following sentence into Youdao Dictionary for translation, I believe you will soon understand

This is a test about xss

Look at where this sentence is in the HTML

The XSS statement in this example is simply parsed in the front end without passing through the back end, which is a security vulnerability of the front end itself.

Pikachu range

Then through the Pikachu range to in-depth understanding of DOM XSS

This is the front end

This is the source code, let’s analyze the source code

<div id="xssd_main"> <script> function domxss(){ var str = document.getElementById("text").value; document.getElementById("dom").innerHTML = "<a href='"+str+"'>what do you see? </a>"; } </script> <input id="text" name="text" type="text" value="" /> <input id="button" type="button" value="click me!" onclick="domxss()" /> <div id="dom"></div> </div>Copy the code
  1. We assign strings to text by
  2. Var STR = document.getelementById (” text “).value; Get the value of text
  3. Then document.getelementById (” dom “).innerhtml = “< a href= ‘” + STR +”‘ > What do you see? < /a > “; I’m going to incorporate this text string into the href inside the A tag and then I’m going to write the A tag inside the DOM tag.
  4. Finally < div id= “dom” >< /div > executes the DOM tag

This is what the source code looks like when you type 123

But when typing: #’onclick=”alert(‘1_Ry’)”

You can’t catch anything with BurpSuite because there’s no interaction with the server, just front-end JS rendering to change the final page code

Utilization scenarios of DOM & Reflection XSS vulnerabilities

Both attack method is no different, are sent via email, this contains we structure the content of the URL to the target user, when the target user can visit the link, the server receives the target user’s request and for processing, then the server with XSS code of data sent to the target user’s web browser, The XSS vulnerability is triggered when the browser parses the malicious script that contains XSS code, and is typically used to retrieve cookies

XSS defense method

  1. Filter the entered data, including invalid characters such as’, ‘, <, >, and on*
  2. Encode the data output to the page, including HTML entity codes, attributes, and URL request parameters
  3. Sets the HttpOnly attribute of the cookie