XSS, stands for Cross Site Scripting, namely cross-site scripting attacks, in a sense is a kind of injection attack is an attacker to inject malicious script code in a page, when the victim visited the page, the malicious code in its browser the execution, you need to emphasize that, XSS is not limited to JavaScript, but also other scripting languages such as flash.
Depending on whether the malicious code stored in the server, XSS can be divided into memory type and a reflection type XSS XSS. DOM XSS type because of its specificity, are often divided into a third, which is a DOM tree based XSS. For example, the server function and the like are often used docunment.boby.innerHtml dynamically generated html page, if they do not function to filter or check at that certain variables will produce DOM type XSS. DOM type XSS type may be stored, it may be a reflection type.
Reflective XSS (Reflected)
Low
Source
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Feedback for end user
echo '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}
?>
As can be seen, a direct reference to the code name parameter, and without any filtering and inspection, obvious XSS vulnerabilities.
Exploit
Medium
Source
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = str_replace( '<script>', '', $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
It can be seen here on the input filtering, blacklist based on the idea of using str_replace function in the input <script> Delete, this protective mechanism can be easily bypassed.
Exploit
① write double bypass
<sc<script>ript>alert(/xss/)</script>
② confusion bypass case
<ScRipt>alert(/xss/)</script>
High
Source
<?php
header ("X-XSS-Protection: 0");
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Get input
$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
?>
You can see, High-level code also applies blacklist filter input, preg_replace () function is used to a regular expression search and replace, which makes double the bypass, bypass confusing case is no longer valid.
Exploit
While no way to use the <script> tag inject XSS code, but can inject malicious code via js src events img, body, etc., etc. iframe tag or label.
<img src=1 onerror=alert(/xss/)>
Impossible
Source
<?php
// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$name = htmlspecialchars( $_GET[ 'name' ] );
// Feedback for end user
echo "<pre>Hello ${name}</pre>";
}
// Generate Anti-CSRF token
generateSessionToken();
?>
Can be seen, Impossible level code using the predefined function htmlspecialchars & character, ", ', <,> converted to HTML entities, which prevents the browser as HTML elements.