XSS (Cross Site Scripting Attack) vulnerability is one of the most common vulnerabilities in Web applications, it refers to the malicious attacker to insert malicious html code into the Web page, when the user browses the page, the html code embedded inside the Web will be executed, so as to achieve the special purpose of malicious attacks on users, such as obtaining the user's cookies, navigation to malicious websites, carrying Trojan horses and so on. Depending on how it is triggered, it is usually divided into Reflective XSS、Storage typeXSS harmonyDOM-base type (e.g. blood type)XSS . The "injection theory" of vulnerability holds that All inputtable parameters that are untrustworthy . Most of the time when we talk about untrustworthy data, we mean URL parameters, forms, Headers, and cookies from HTTP client requests, but data from databases, WebServices, and other application interfaces, as opposed to HTTP client requests, are also untrustworthy. Depending on the request parameters and response messages, the most used technique in XSS detection is dynamic detection: programmatically, response messages are analyzed to simulate page clicks, mouse scrolling, DOM processing, CSS selectors, and other operations to verify the presence of XSS vulnerabilities.

This section contains the following.

The basics of XSS vulnerabilities

Principles of using PhantomJS in XSS detection

XSS vulnerability detection with the XSS Validator plugin

The basics of XSS vulnerabilities

In general, we can distinguish which of the three types of vulnerabilities, reflective, stored, or DOM-base, the vulnerability is by the manifestation of the XSS vulnerability.

Reflective XSS It is by sending someone a URL with malicious script code parameters, and when the URL address is opened, the parameters with malicious code are parsed and executed by HTML. It is non-persistent in nature and must be caused by the user clicking on a link with specific parameters. It is usually connected in the following form.

The value of its name parameter is such that the value of such a parameter enters the program code without any processing and is thus executed. Its similar source code is shown below.

2.Stored XSS It means that the malicious script code is stored into the database, and when other users browse the web page normally, the site reads the illegal data stored by the illegal user from the database, resulting in the execution of the malicious script code. The usual code structure is as follows.

The root cause of its XSS occurrence is that no javascript script filtering is done on the server side for the content written to the database.

3.DOM-base type XSS It is a fragment with malicious code that is parsed and executed by HTML when a DOM operation is performed on a front-end page, resulting in an XSS vulnerability.

Principles of using PhantomJS in XSS detection

The official website of PhantomJS is located at http://phantomjs.org and the latest version 2.1 is currently available. It is a WebKit-based server-side JavaScript API that enables support for web browser features such as DOM processing, JavaScript, CSS selectors, JSON, Canvas, and scalable vector graphics SVG without the need for browser support. Based on the features it has, it is commonly used in the following scenarios.

Browser-less web testing: supports many testing frameworks such as YUI Test, Jasmine, WebDriver, capybara, QUnit, Mocha

Page automation operations: access and manipulate Web pages using standard DOM APIs or some JavaScript frameworks such as jQuery.

Screen Capture: Programmatically grab page content such as CSS, SVG and Canvas to enable web crawler applications. Build server-side web graphics applications, such as screenshot services, vector raster graphics applications.

Network monitoring: Automate network performance monitoring, track page loads, and send related monitoring information

What we use here is mainly to use the JavaScript API provided by PhantomJS to call the monitoring and triggering interface to easily manipulate html page DOM nodes and simulate user actions.

There is a plugin for XSS detection in Burp Extender's BApp Store, XSS Validator, which takes advantage of these features of phantomJS and slimerJS to accomplish vulnerability validation. Let's take a look at how it works.

In the xss-detector subdirectory of the plugin installation directory there is an xss.js file that is the specific implementation of phantomJS detection. In the code we see that by default, a listening service is started on port 8093 of the local host and functions as a man-in-the-middle proxy.

When the phantomJS service starts, the request is intercepted and the page is requested and initialized through the API interface. During initialization, settings are set to enable web security detection, XSS auditing, js operations, etc.

Also, custom alert, confirm, and prompt processing to record XSS detection information.

And for the handling of js event detection, the main thing to do is through the event distribution function.

After understanding these processes, basically the principles of XSS detection by XSS Validator using phantomJS have been mastered. A similar analysis of this principle is clearly stated in an article by Sina Weibo user @eater-fr1day at the portal: http://www.tuicool.com/articles/3emU7n

A legend is used to describe the interaction process, as follows.

Several key points in the processing of the plug-in are of particular concern to us.

Intruder uses the XSS Validator's payload generator to combine both the plugin and Intruder linkage.

The plugin intercepts messages sent by Intruder and forwards them to the phantomjs service listening port for processing.

xss.js requests the real web server and processes the message, adding the Grep Phrase flag

Intruder components distinguish the presence of vulnerabilities based on the Grep Phrase flag

Only by understanding the principle of phantomJS in detecting XSS, we can work on the actual situation and modify the xss.js file, for example, to meet the purpose of our own business needs, rather than just sticking to the functionality of the plugin itself.

XSS vulnerability detection with the XSS Validator plugin

In the previous section we got familiar with the basics of phantomJS detecting xss, now let's take a look at the use of the XSS Validator plugin.

XSS Validator plugin installation is still available through the BApp Store installation and manual installation of two ways, manual installation requires downloading the source code for compilation, here provides the project's github address, https://github.com/nVisium/xssValidator. The installation process is done by the reader, so if you don't understand the installation, please read the section on using the Burp plugin. Once installed, the interface of the plugin is shown below.

The left side of the image above shows the parameters that need to be configured when the plugin is run, and the right side shows the payload to verify the XSS vulnerability. Before using the plugin, there are some specific configurations about phantomjs that need our attention. This is also in the instructions provided on the installation screen when we do the plugin installation through the app store.

Before executing Intruder, you must start the xss detection service via the command line phantomjs xss.js, which is also the phantomjs service listening port. This makes it necessary to have phantomjs installed and added to the environment variables before we can execute the command line, otherwise it won't work. As for phantomjs, it's very easy to install, so if you really don't know how to do it, I suggest you read this article. Transmitted to: http://www.mincoder.com/article/4795.shtml

After installation, execute phantomjs xss.js and the console screen shows the following with no other prompt messages.

For the sake of simplicity, we take the default configuration for all other parameters and modify only two parameters, Grep Phrase and JavaScript functions: Grep Phrase is modified to xxs_result, which is used as the detection flag and list header. In JavaScript functions we only use alert, everything else is removed for now. Easy for us to observe the results from the console. Our final configuration results are shown in the screenshot at

After configuring the plugin, we need to configure Intruder. First, specify the value of Grep Phrase.

Next, Intruder's payload generator needs to be set to xssValidator's.

If you set it up as shown in the image above, you are ready to start Intruder for detection. During the detection process, we will see a lot of log messages output from the console, and according to our configuration, the output of alert messages indicates that the payload detects the presence of xss vulnerabilities. As shown in figure 2 below.

At the same time, on the Intruder execution interface, we can view the detection of the payload via xss_result, and those response messages with vulnerability flags are marked, making it easy for us to distinguish and handle the messages.

Recommended>>
1、jquerybasedgetsmscaptchacountdown
2、Tesla Superbattery Executive Leaves More Than 40 Execs Have Left This Year
3、Seems to understand Google TPU 20
4、Nine pain points holding back big data personal opinion
5、CVPR2018 Training AI with data from dogs University of Washington develops AI system that simulates dog behavior

已发送

发送中