Exploration of reflective XSS vulnerability principles in Web security

I’m participating in nuggets Creators Camp # 4, click here to learn more and learn together!

reflectiveXSS

DVWA Reflected XSS (Low)

• You get what you put in, and the server doesn’t filter the input, right

• < script > alert (1) < / script > / / popup windowCopy the code

• <script>alert(document.cookie)</script> // popup displays **cookie**Copy the code

• Send the cookie to our server
• Write PHP scripts to receive cookies
• Construct statement to send cookies
• In combination with CSRF

The source code

<? php // Is there any input? if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] ! = NULL ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $name = htmlspecialchars( $_GET[ 'name' ] ); // Feedback for end user echo "<pre>Hello ${name}</pre>"; } // Generate Anti-CSRF token generateSessionToken(); ? >Copy the code

demo

1. Let’s type in 666 and see what happens

2. We find that it displays the 666 we entered on the page

3. We try to put the XSS payload in and make it play a 1

<script>alert(1)</script>
Copy the code

4. The window pops up successfully, indicating that there is a reflective XSS vulnerability

5. As for why reflective, look at the URL

http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E#
Copy the code

Here we have a name parameter. The definition of reflection is reflected in the response and not stored on the server. Here the value of name, the XSS statement we constructed, is not stored on the server in the link, so it is reflection

The classic example of reflection is a link containing an XSS statement

The most classic storage type is to insert XSS statements in the message board

6. Checking with developer tools, we can see that the statement we constructed is not displayed on the page, but is parsed by the browser as a JS statement

DVWA Reflected XSS (Medium)

• will<script>Replace with a null character, which can be double-written around i.e<scr<script>ipt>, or large
• Lowercase obfuscation bypass is<ScriPt>

The source code

<? php header ("X-XSS-Protection: 0"); // Is there any input? if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] ! = NULL ) { // Get input $name = str_replace( '<script>', '', $_GET[ 'name' ] ); // Feedback for end user echo "<pre>Hello ${name}</pre>"; }? >Copy the code

demo

1. We use it directly<script>alert(1)</script>Let’s see what happens

2, discovery,alert(1)If it is displayed on the page, it indicates that parsing failed. Let’s open the developer tool to review the element

So we can see that all of our script tags are filtered, so we can imagine if we were to filter a pair of scripts, and if we insert a script tag in there, it’s going to filter one script tag, and then we’re going to construct payload

<scr<script>ipt>alert(1)</script>
Copy the code

So if it’s not filtered strictly, can we filter it by case obfuscating? Let’s construct payload

<scrIpT>alert(1)</sCriPt>
Copy the code

5. Successfully popup the window again, indicating that case confusion can also be bypassed

DVWA Reflected XSS (High)

• Use the preg_replace()** function to make use of regular expressions to replace in a case-insensitive manner<script>
• Event bypass using HTML tags
• Onload event, called when the element is loaded
• Img tagsonerrorCalled when an image load error occurs

The source code

<? php header ("X-XSS-Protection: 0"); // Is there any input? if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] ! = NULL ) { // Get input $name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] ); // Feedback for end user echo "<pre>Hello ${name}</pre>"; }? >Copy the code

demo

1. Let’s try using the script tag first

2, we can’t do popover, we examine the element, we find that all filter, except the Angle bracket, we try again case and double write to see if we can bypass

3, we find the same result, so we filter the script tag, we try to change the tag, we construct payload

<img SRC =1 onerror="alert(1)" /> // <img SRC =1 onerror="alert(1)Copy the code

4. A successful popup window is displayed, indicating that the payload is viable.

DVWA Reflected XSS (Impossible)

• usehtmlspecialcharsThe function takes predefined characters&,",',<,> convertHTMLEntity to prevent browsers from treating it asHTMLElements.

The source code

<? php // Is there any input? if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] ! = NULL ) { // Check Anti-CSRF token checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); // Get input $name = htmlspecialchars( $_GET[ 'name' ] ); // Feedback for end user echo "<pre>Hello ${name}</pre>"; } // Generate Anti-CSRF token generateSessionToken(); ? >Copy the code

Repair plan

• Impossible level
• usehtmlspecialcharsThe function takes predefined characters&,",',<,>convertHTMLEntity to prevent browsers from treating it asHTMLElements.