Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what are the forms of XSS attacks". In the daily operation, I believe many people have doubts about which forms of XSS attacks. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "which forms of XSS attacks"! Next, please follow the editor to study!

1. Non-persistent shape

What is a non-persistent shape? The most easy-to-understand statement is to inject it manually whenever an attack is carried out.

Example:

# this file is form.html, which contains form forms to be submitted to form.php#. This file is form.php# mapping client (browser)-> server-> client (browser).

If we fill in the normal string param= Zhang San in the param field

The result will output "Hello, Zhang San".

But if the abnormal string param=_window.location.href= "https://www.baidu.com"

The result will not output normally as we expected and stay on the page when php directly outputs the param parameters submitted by the user directly.

The content in the script tag will be parsed by the browser, causing the page to be redirected to the Baidu home page by the js script.

This is the simplest example of a non-refracting XSS attack.

2. Persistent shape

As we mentioned above, if the non-persistent shape is not permanent, then the persistent shape is just the opposite. Instead of manual injection for each attack, the attack is carried out through an injection point in the system. Store the contents of the attack in the database, memory, and cache. The most classic example is injection through the message board.

# this is the guestbook.html name:

Age:

Content:

# this is guestbook.php

3. Dom shape

The DOM shape does not require server-side participation and can be completed only through the DOM tree.

# get the anchor part of URL (starting with #) for example: https://www.baidu.com#abc eval (decodeURI (location.hash.substr (1) # js's eval function has great security risks if I type https://www.baidu.com#https://www.abc.com/xss.js # in the address bar, then js will read https://www.abc.com/xss. directly Once the content of js contains malicious code in xss.js, then our website will be affected by the # mapping client (only through the client side without server-side processing) to this The study on "what are the forms of XSS attacks" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.