0 x_jin 2013/10/21 now

directory


0x00: Basic introduction to 0x01: HTML entity encoding 0x02: New entity encoding variant and some working principles of the browser! 0x03:javascript encoded 0x04: Base64 encoded 0x05: idle chatterCopy the code

0x00 Basic Introduction


When it comes to XSS, what comes to mind is insertion character encoding and parsing.

This is where all the XSS coding plug-ins and tools come in! Before not understanding how browsers parse our code is a mess of time!

All kinds of coding plug did not restore the code even if the reduction even if good luck! Later to PKAV after the second brother and a short training is to make clear a little coding and parsing knowledge!

Now it can be used freely!

Now let’s look at the most commonly used encodings in XSS

HTML entity encoding (base 10 and base 16):

For example, to encode Angle brackets [<] -----> HTML decimal: &#60; HTML hexadecimal :&#x3c;Copy the code

Octal and hexadecimal in javascript:

For example, encoding Angle brackets [<] -----> js octal :\74 JS hexadecimal :\x3cCopy the code

Jsunicode code:

For example, encode Angle brackets [<] ----->jsunicode:\u003cCopy the code

Url encoding Base64 encoding:

For example, encode Angle brackets [<] -----> URL: %3C base64: PA==Copy the code

0x01 HTML entity encoding


The purpose of HTML entity coding is to prevent conflicts with HTML semantic markup.

But in XSS it has become a great tool for us, but also can’t blindly use!

HTML in the normal case only recognize: HTML10 base, HTML16 base!

Now, how can we flexibly use various encodings in the XSS process?

For example, now your output point is here:

<img SRC ="[code]">Copy the code

Here we filter script < > / \ HTTP: and all kinds of dangerous characters like creating an HTML node!

Some sites only allow you to reference an image from an IMG folder, but the image is controlled by you and can be changed by capturing the bag!

What if we want to load external JS or an XSS platform hook?

Onerror =[HTML language=” entity encoding “][/ HTML][/ HTML]

Let’s say I pop up a window:

<img src="x" onerror="&#97; The & # 108; The & # 101; The & # 114; The & # 116; & # 40; & # 49; & # 41;" >Copy the code

The original code:

<img src="x" onerror="alert(1)">
Copy the code

I’m using HTML decimal code here or I can use hexadecimal HTML entity code!

But why did I use jsunicode and JS octal and JS hexadecimal?

Browsers don’t parse javascript codes in HTML tags! So the code that we put in js after onError = is not going to parse whatever you put in it is going to parse!

Most sites will not # &, if the filter how to do?

So let’s take another example: the Gleason

The source code is as follows

The “Go” button in the page contains a value of the “A” tag input in the href attribute of the “A” tag, href uses javascript pseudo-protocol, can execute js code at href jump!

So XSS!

The values we submitted are as follows:

wooyun%26%23x27,alert(1)%2b%26%23x27
Copy the code

Because the page faces single quotation marks & and # symbols filtering! But you can recognize HTML entity codes in HTML! But the entity code is made up of &#!

At this point &# is already filtered and we can only encode the two symbols by URL encoding! Let the browser decode it into &# and then concatenate x27 and it’s htmlhexadecimal with single quotes!

After decoding: our submission value is:

',alert(1)'
Copy the code

Href code is:

< a href = "javascript: the location = '. / 3.3 PHP? offset='+document.getElementById('pagenum').value+'&searchtype_yjbg=yjjg&searchvalue_yjbg='">GO</a>Copy the code

Ps: As mentioned earlier, HTML tags recognize the HTML entity code and will decode the code when the HTML page loads! So &#x27 is already a single quote but will not be closed! And then execute the javascript code during the click because in the HTML &#x27 was parsed as a single quote but didn’t close and in this case js is being executed and this one that we submitted was parsed as a string single quote when the HTML was loaded but we can’t close the previous quote because now it’s an encoded single quote that we submitted It’s a string but now it’s in the href inside the A tag and the href link inside the href is javascript pseudo-protocol, Now when we click on it it’s going to execute the code that’s in there and the key thing is that now the single quote that we thought was a string is going to be parsed again and now we don’t have any filtering rules to filter it and the program isn’t that smart because the single quote that we thought was a string is going to work and the javascript doesn’t know that it’s a string It just knows what the browser parses and it goes in! At this point our string single quotation marks are successfully closed! Our code executes when we click Go!

The above example is about HTML coding and special case coding so let’s talk about when your input point is inside a script tag! We should use the code in JS!

Now that I know how to parse it, I have some new ideas!

0x02 New entity encoding, variation, and some of the workings of the browser


Usually when programs do XSS defense they have some HTML coding issues in mind and will block or escape things like “\ and my double quotes and Angle brackets will be blocked!

However, problems may arise with the basic blacklisting method:

1. Do not know the new entity naming encoding of HTML5, such as

&colon; => [colon] &NewLine; Case: <a href="javasc&NewLine; ript&colon; alert(1)">click</a>Copy the code

2. Not familiar with the parsing rules of HTML coding, such as decimal and hexadecimal coding semicolons can be removed.

Also, add a “0” in front of the numeric code, which is also a good way to bypass the WAF vector.

Below (I have removed the semicolon and added a zero to each number)

The number can be added in front of a number of 0 idle egg pain gay friends can try next!

<a href="javasc&NewLine; ript&colon; alert(1)">click</a>Copy the code

Does this code work?

For those of you who don’t know how browsers work, I wonder if this code will work at first!

At least I suspected it at first! Even if the code is parsed back, it can be executed on a newline!

At that time, I went to ask my good gay friend XX God [a person who has a different mind from normal people in our eyes]

Then god gave me a more detailed browser working principle very very long!

I will stick the most important copy down!

Parser-lexer combination

Parsing can be divided into two sub-processes – grammatical analysis and lexical analysis

Lexical analysis is the decomposition of input into symbols, which are the vocabulary of a language — the set of basic valid units. For human language, it’s the equivalent of all the words that appear in our dictionaries.

Parsing is the application of grammatical rules to a language.

Parsers typically divide the job between two components — a lexical analyzer (sometimes called a word splitter) that breaks input into legal symbols, a parser that builds a parse tree by analyzing the structure of a document based on the syntax rules of a language, and a lexical analyzer that knows how to skip extranet characters like whitespace and newlines.

Then my understanding goes like this:

<a href="javasc&NewLine; ript&colon; alert(1)">click</a>Copy the code

First the HTML code is restored and then it’s line breaks and colons

<a href="javasc
ript:alert(1)">click</a>  
Copy the code

The reason it can be executed after a line break is because the parser in the browser works by skipping invalid characters such as whitespace and line breaks.

It then constructs a complete statement

<a href="javascript:alert(1)">click</a> 
Copy the code

Code execution!

After reading those instant in the mind feel so with the original reason related thing is really very important! You can write XSS payload more flexibly!

0 x03 javascript code


Only a few encodings are recognized in javascript: Jsunicode JS8 base JS10 base

Take the following example to tell!

In the first case, the value you input is stored in some variable and then ends up in some function that executes the string as js code!

Such as:

eval()  setTimeout()   setInterval()
Copy the code

These are all functions that execute strings as JS code! If:

Var search = "control point "; document.getElementById().innerHTML=search;Copy the code

Many of the above are the keywords that appear after you search and then display your query

If you filter <> ‘” & % and so on! Then output to the page!

It was supposed to be safe! But let’s change the input value to jsunicODE encoding

For example, and set js octal code on the receive_server, the item that is not detected by the filter is inserted into innerHTML

Now let’s see what the output looks like!

I’ll use chrome Console to demonstrate! 

See the js decoded our code back and injected into the web page! This is when the code executes! Successful popover!

In JS is can use jsunicode JS16 base JS8 base!

Why not use hexadecimal and Unicode encoding here! Because octal is relatively the shortest!

The length of characters in XSS is also an important issue! The shorter the better!

When inserting XSS code into an ASP site, the storage type will be due to insufficient field length in your database

And can not save in and then report an error! It happens all the time! It’s best to get what you want with the fewest characters!

Since mentioned in JS hexadecimal encoding and JS Unicode encoding so also on two pictures!

Hexadecimal is represented by \x[16hex] in js as follows:< \x3c

As you can see, the same is true for octal! It’s just an extra “X” and while I love this character, I prefer the “octal” bitty!

Jsunicode encoding:

It is expressed as follows: \uxxxx \uxxx < transcoded: /u003c

Above: 

0 x04 base64 encoding


So far I’ve come across base64 encoding mostly like this!

<a href=" control "> <iframe SRC =" control ">Copy the code

In this case if the <> ‘” javascript is filtered then XSS can be written like this and base64 encoded!

<a href="data:text/html; base64, PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==">test</a>Copy the code

So when the test A link is clicked on it will be parsed as base64 in HTML /text in the data protocol page and then the base64 encoding will be restored to our original encoding when we click on the SINGLE A link

<img src=x onerror=alert(1)>
Copy the code

And successfully popover!

The diagram below:

The gleason has a similar function in iframe. Test yourself!

0 x05 shoot the breeze


The world of the web front end is really hard to fathom!

Actually a lot of what block in front is those original rational thing! Understand good!

Watching my brother dig reflective XSS makes me feel a lot like A JS code audit!

In the words of the second brother, first of all, your JS skills are higher than the people who write JS skills and then you are easier to find XSS! So I feel JS is more important than XSS! Second elder brother has been writing six or seven years of JS ability to practice today’s skill! So I really believe in this sentence!

General test XSS first I will test some reflectors! Submit a few illegal characters and see what filter becomes! Then open the Chrome Console and track down some keywords in the current page and the files referenced in the page! Let’s say the input field id = XXXX and THEN I keep tracking it down! If the value of an array or variable passes it in then it keeps going all the way back to the source! If you can bypass the code, you can dig it out in Chrome with a little debugging!

Of course this kind of method also is second elder brother teaches! Brother and short has always been the object of my worship! Just tell me about the browser’s resolution, the second brother about the DOM rendering JS parsing and so on say endless some skills!

Suddenly it’s so easy to dig up XSS!

Package with XSS Encode plug-in

END