XSS Network Security Learning and Practice

Posted by JCBarry on Tue, 01 Feb 2022 17:13:52 +0100

XSS

Cross site scripting (XSS) is a kind of security vulnerability attack of website application and a kind of code injection. It allows malicious users to inject code into the web page, which will affect other users when they watch the web page. Such attacks usually involve HTML and client scripting language

Attack mode

Attack the website by modifying HTML nodes or executing JS code https://blog.poetries.top/FE-Interview-Questions/docs/advance.html#_1-xss

XSS classification

According to the source of the attack, XSS attacks can be divided into storage type, reflection type and DOM type.

|Type | storage area | insertion point | - | - | storage XSS | back end database | HTML | reflective XSS | URL | HTML | DOM XSS | back end database / front end storage / url | front end JavaScript|

  • Storage area: the location where malicious code is stored.
  • Insertion point: who gets the malicious code and inserts it into the web page.

Storage XSS

Attack steps of storage XSS:

  1. The attacker submits malicious code to the database of the target website.
  2. When the user opens the target website, the website server takes the malicious code out of the database, splices it in HTML and returns it to the browser.
  3. After receiving the response, the user browser parses and executes, and the malicious code mixed in it is also executed.
  4. Malicious code steals user data and sends it to the attacker's website, or impersonates the behavior of the user and calls the interface of the target website to perform the operation specified by the attacker.

This attack is common in website functions with user saved data, such as forum posting, product comments, user private letters, etc.

Reflective XSS

Attack steps of reflective XSS:

  1. The attacker constructed a special URL containing malicious code.
  2. When a user opens a URL with malicious code, the website server takes the malicious code out of the URL, splices it in HTML and returns it to the browser.
  3. After receiving the response, the user browser parses and executes, and the malicious code mixed in it is also executed.
  4. Malicious code steals user data and sends it to the attacker's website, or impersonates the behavior of the user and calls the interface of the target website to perform the operation specified by the attacker.

The difference between reflective XSS and storage XSS is that the malicious code of storage XSS exists in the database and the malicious code of reflective XSS exists in the URL.

Reflective XSS vulnerabilities are common in functions that pass parameters through URL s, such as website search, jump, etc.

Because users need to actively open malicious URL s to take effect, attackers often combine a variety of means to induce users to click.

The content of POST can also trigger reflective XSS, but its trigger conditions are relatively harsh (you need to construct a form submission page and guide users to click), so it is very rare.

DOM type XSS

Attack steps of DOM XSS:

  1. The attacker constructed a special URL containing malicious code.
  2. The user opens a URL with malicious code.
  3. After the user browser receives the response, it parses and executes, and the front-end JavaScript takes out the malicious code in the URL and executes it.
  4. Malicious code steals user data and sends it to the attacker's website, or impersonates the user's behavior and calls the target website interface to perform the operation specified by the attacker.

The difference between DOM XSS and the first two XSS: in DOM XSS attack, the extraction and execution of malicious code is completed by the browser, which belongs to the security vulnerability of the front-end JavaScript itself, while the other two XSS belong to the security vulnerability of the server.
https://tech.meituan.com/2018/09/27/fe-security.html

Implement XSS

The implementation of xss requires back-end cooperation. The logic is as follows:
When I visit a website, the browser sends a request to the server. The server receives the request, parses the request and returns it to the client. This is a normal process. For example:

When I visit, the url in the address bar is localhost:3000/?keyword=123, the server will parse the keyword to get 123, and then add it to an input in html as the value of the tag. Then the returned html data is as follows

<input id="val" type="text" value="123">

However, if the url I fill in is localhost: 3000 /? Keyword = "> < script > alert ('XSS'); < / script >
The keyword is parsed as "> < script > alert ('XSS'); < / script >, and then spliced into the value of the input box. The first two characters" > will be closed with value in advance, and the returned html data will become the following

<input id="val" type="text" value=""><script>alert('XSS');</script>">

You can see that value has become a null value, but there are more script scripts out of thin air, which will run automatically. Although there will be an ">" on the page later, the purpose has been achieved

Back end code

Written in node, refer to link

let http = require('http')
let url = require('url');

let app = http.createServer(function (request, response) {
    let reqUrl = request.url
    let urlObj = url.parse(reqUrl, true)
    let queryObj = urlObj.query
    console.log(urlObj);

    function getParameter(key) {
        return queryObj[key] || ''
    }

    // Server rendering
    // html template 
    var str = `
        <!DOCTYPE html>
        <html lang="en">
            <head>
                <meta charset="UTF-8">
                <meta name="viewport" content="width=device-width, initial-scale=1.0">
                <title>XSS</title>
            </head>
            <body>
	            <input id="val" type="text" value="<%= getParameter("keyword") %>">
	            <button>search</button>
	            <div>
	                <a href="<%= getParameter("redirect") %>">Click the link</a>
	            </div>
            </body>
        </html>
        `

    let htmlstr = str.replace(/<%=(.+)%>/g, (_, $1) => {//$1 represents the first one found by regular query
        // eval function allows parameters to run as js code, which is equivalent to converting strings into js format
        // The following eval s are mainly converted into js code and run through strings such as getParameter("keyword"),
        // Get a target string, such as "> < script > alert ('xss'); < / script >
        // Then splice it to the original htmlstr and change the value = "<% = getparameter (" keyword ")% >" > to
        // value=""><script>alert('XSS');</script>">
        // The first two strings "> enclose value in advance, and then a line of script code appears out of thin air. Although more" > are displayed on the page, the purpose has been achieved
        let a = eval($1)
        // console.log(a);
        return a
    })


    console.log('htmlstr',htmlstr);
    response.writeHead(200)
    response.write(htmlstr)
    // response.write(str)
    response.end()


})
app.listen(3000, function () {
    console.log('3000 running')
})

/* 
Finally, the html returned through xss attack becomes the following form

<!DOCTYPE html>
<html lang="en">
   <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
       <title>XSS</title>
   </head>
   <body>
       <input id="val" type="text" value=""><script>alert('XSS');</script>">
       <button>Search < / button >
       <div>
           <a href="javascript:alert('XSS');">Click the link</a>
       </div>
   </body>
</html>


You can see that the value of input becomes value = "" and there is one more line of automatically running js script
<input id="val" type="text" value=""><script>alert('XSS');</script>">

a The link of the tag has also become a js script, but it is not run through script. It is necessary to check what href can run and sort out the differences between url, src and href
<a href="javascript:alert('XSS');">Click the link</a>
*/

The eval in the code is mainly used to parse the keyword and other information when parsing the url
In this way, access http://localhost:3000/?keyword="><script>alert('XSS')</script>&redirect=javascript:alert('XSS'); The input tag will be added with a script, and the link guidance of a tag will also be a js script. One will pop up automatically and the other will pop up when clicked.

Topics: Javascript node.js Interview