Shulou(Shulou.com)06/01 Report--

What is xss?

XSS, also known as CSS (Cross Site Script), is a cross-site script. It means that a malicious person inserts malicious html code into a Web page. When a user browses the page, the html code embedded in the Web will be executed, thus achieving a malicious special purpose. XSS belongs to the passive type, because it is passive and difficult to use, so many people often ignore its harmfulness.

What are the types of XSS?

Reflective type: a simple description is to reflect the data entered by the user to the browser, which may be Html code or js code, and then let the browser execute it.

Storage type: the data entered by the user (such as malicious js code) is stored on the server side, which is highly stable and harmful for a long time.

DOM Based XSS: this is not classified according to where it is stored. It can be said to be reflective. Due to historical reasons, it is grouped into one category. The XSS formed by changing the structure of DOM is called DOM Based.

In fact, I think xss can be divided into persistent xss and non-persistent xss.

Persistent xss is to implant the script for the client to the server, so that every user who accesses the page normally will be subjected to this xss script.

Non-persistent xss deals with a parameter in the url of a page, wraps a well-constructed malicious script into a url parameter, and then distributes the url to the Internet to trick users into visiting the url.

The harm of XSS

1. Hijack Cookie

2. Build browsers for Get and Post requests to operate users, and send packages using JavaScript simulation browser

3. XSS fishing

4. Obtain user system and browser information

5. Identify the software installed by the user

6. Hijack the browser reply to perform any operation.

7. Force the ad page to pop up and browse the traffic.

8. Get the user's real ip

Wait, wait, wait.

Trigger conditions of XSS

To understand the triggering conditions of XSS, we have to start with HTML (Hypertext markup language). All the web pages we browse are created based on Hypertext markup language.

The principle of XSS is to inject scripts into HTML, and HTML specifies the script tags. In the case of no filtered characters, you only need to keep the script tag intact to trigger XSS. If we submit content in a data form and the form submission is the value assigned by a tag attribute, we can construct values such as the following values to close and tag to construct an error-free script tag

"> alert ('XSS'); onclick=alert (' XSS')

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.