Introduction to the basic concepts and principles of XSS
basic concept
cross-site scripting attack XSS (Cross Site Scripting), in order not to be confused with the Cascading Style Sheets ( Cascading Style Sheets, CSS ) abbreviation, so the cross-site scripting attacks abbreviated to XSS.
malicious attacker Insert malicious JavaScript code into a Web page, and when the user browses the page, the embedded JS code will be parsed and executed, thus achieving the purpose of maliciously attacking the user.
One very common function on a Web page is to output user input to the page.
If the content entered here is a constructed piece of JS code, when the page is revisited after submission, the user will get the result of the execution of the JS code on the browser side.
By constructing other corresponding code, an attacker can perform more harmful operations.
There are two conditions that need to be met in order to perform an XSS attack:
- Ability to inject malicious code into Web pages;
- This malicious code can be successfully executed by the browser.
XSS Classification
XSS attack methods are divided into 3 main categories, namelyReflective XSS, **Stored XSS **and **BasedDOM XSS.
reflexive
specificities: Malicious scripts are delivered via URL and executed immediately on the page.
Type of attack: The attacker induces the user to click on a link containing malicious code, which is executed by the browser.
typical example: When a user clicks on a link containing a malicious script, the server reflects the malicious script back to the user's browser and executes it immediately.
non-persistent
Commonly, a malicious link is constructed in the URL and sent to the target user. When the user accesses the link, a GET request is made to the server to submit the link with malicious code. The main causes of reflective XSS areGET Type.
Reflective XSS Complete attack flow:
A and B represent the normal communication between the user and the website, and from C onwards the whole process of the XSS attack.
First:
- C: The hacker sends the user a URL with a malicious script.
- D: After the user clicks and logs into the Website.
- E: The server returned a response with a malicious script.
- F: The malicious script sends sensitive information to the hacker's already deployed server after the browser executes it.
- G: The hacker traveled to the hacked server to obtain sensitive information about the user.
- H: The hacker has gained access to the user's sensitive information.
- I: Hackers use already acquired sensitive information to launch requests to the Website, masquerading as users to carry out illegal operations.
that's all...Reflective XSS of the overall attack link.
memory-based
specificities: Malicious scripts are stored in the database of the target server and executed when the user visits the relevant page.
Type of attack: An attacker enters malicious code into an input form on a website, the code is stored on the server, and the malicious code is executed when other users visit the page.
typical example: An attacker posts a thread containing a malicious script in a forum or comment section, and the malicious script is executed when other users view the thread.
persistent
Commonly found inBlog message boards, feedback complaints, forum commentsThe malicious code can be stored in the server's database along with the body of the text. Each visit triggers the malicious code. For example:<srcipt>alert(/xss/)</srcipt>
Stored XSS Attack Principles
The hacker stores a malicious script in the Website's Server beforehand, then the user clicks on it to access the data, and the browser executes the malicious script when parsing the file, sending sensitive data to the hacker.
Stored XSS Complete attack flow:
C is for normal access to the Website.
First:
- A : A hacker discovers that a browser has an XSS storage type vulnerability and launches malicious code into the browser.
- B: The server stores this piece of malicious code in the server.
- C: The user finds a place on the website that appeals to him, but the hacker has planted malicious code there in advance.
- D: The user reads the section of the server that has malicious code.
- E: Browser executed a malicious script to obtain sensitive information about the user.
- F: Malicious code transmitted to the hacker's server
- G: Hackers can then obtain sensitive user information from the server and simulate a user logging into this website.
Difference between Reflective XSS and Stored XSS:
I. Differences in the target of the attackReflective XSS is generally the object of the attacker to find, for example: an attacker wants to steal A's QQ number, then the attacker can be a URL containing reflective XSS link to A, at this time we can see that the need for a specific URL, pay attention to a specific URL to A, when A clicked to enter the link, it will be subjected to XSS attacks, so the scope of this attack is not particularly wide! So the scope of this attack is not particularly wide.
The stored XSS is the way to spread the net widely or the specified way, that is, the attacker puts the stored XSS on some websites with XSS vulnerability, as long as there is a user who visits this link will be hit, and the attacker can look for the target to be attacked, for example, the above example, so we can see that the stored XSS is much more harmful and wider in scope, and it can be used without the need to look for the target to be attacked, and the attacker will not need to look for the target to be attacked. As long as the stored XSS is on the server, the attack can be executed.
The target of DOM-based XSS is actually similar to the target of reflection-based XSS, in that it is the URL that is served to the target of the attack.
Second, the resolution position is different(Personally, I feel this is the essence of the difference between reflective and storage)
Reflective XSS scripts are parsed in the browser, while stored XSS scripts are parsed in the server, and DOM XSS is also the browser, so DOM type is also called DOM Reflective XSS. but Reflective XSS requires an internet connection, while DOM type does not!
III. Different storage times
Reflective XSS is both ready to use, there is no persistence, and storage XSS is stored on the server, as long as the server does not hang up or be killed, there will always be, DOM-type XSS and reflective is almost the same, but the use of people on the bullshit, that reflective as long as not change the source code is not always there? No, reflective XSS must be specific URL to make the target of the attack, if it is a single official web page, there is no, storage type is different, as long as the server has a storage type XSS, regardless of whether it is not the official website, the target of the attack will be attacked.IV. Differences in permitted input points(This is the difference between the DOM type and the other two)
Typically, reflective XSS is in the search box, or page jumps, and those kinds of places, while stored XSS is typically where the message, or the user, is stored, and the DOM? It's on the DOM location, it doesn't depend on the input environment.
DOM Type
specificities: Malicious scripts are executed by modifying the structure of the browser's DOM (Document Object Model).
Type of attack: An attacker manipulates the JavaScript in a page to make it execute malicious code, usually without interacting with the server.
typical example: Using a malicious URL parameter or input value, an attacker modifies the JavaScript code of a page so that it performs a malicious action in the user's browser.
Before explaining DOM-XSS, let's start with a diagram to illustrate what exactly DOM is:
Document Object Model Document Object Model (DOM) is a platform and programming language-independent interface that allows a program or script to dynamically access and update document content, structure and style, and the result of the processing becomes part of the presentation page.
DOM-type XSS In fact, it is a special type of reflective XSS, also known as local cross-site, which is a vulnerability based on the DOM document object model.The difference between DOM XSS and reflective XSS, storage XSS is that the DOM XSS code does not require the involvement of the server, the departure of the XSS relies on the browser's DOM parsing, it is entirely a client-side matter.
There are many objects in the DOM, some of which can be manipulated by the user, such as url, location, etc. Client-side scripting programs can dynamically inspect and modify page content through the DOM. Client-side scripting programs can dynamically inspect and modify page content through the DOM. It does not rely on submitting data to the server, but rather obtains the data in the DOM from the client and executes it locally, so there is no way to defend against DOM-based XSS vulnerabilities from the server side alone, and if the data in the DOM is not rigorously validated, DOM-based XSS vulnerabilities will occur.
DOM-based XSS is a special case of reflection, where the JavaScript is hidden in the URL and is fetched by the JavaScript on the page when it is rendered, rather than being embedded in the page when it is served.
Summary:The attack scenario for DOM-based XSS is the same as for reflective XSS.The only difference is that with DOM-based XSS, instead of happening on the server side, it happens directly in the browser. This can make it more stealthy than other attacks, and malicious content is not detected by WAFs or other protections that monitor the body of the page.
- Reflective XSS: Passed via URL and executed immediately.
- Stored XSS: Stored in a server-side database and executed when accessed by the user.
- DOM XSS: Executed by modifying the client's DOM without interacting with the server.