Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

XSS vulnerability analysis

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

What is XSS?

Cross-site script (Cross Site Scripting) is abbreviated as XSS because it is not confused with the abbreviation of cascading style sheet (Cascading Style Sheets,CSS). Malicious users insert html code into the web page. When browsing the page, the html code embedded in the web will be executed, thus achieving the special purpose of the user.

What can XSS do?

Steal administrator Cookie or user Cookie

XSS Worm

Hang a horse (puddle *)

Limited keyloggin

XSS classification

Radioactive XSS

Storage XSS

DOM XSS

Flash XSS

MXSS

Reflective (non-persistent) XSS

When the request is made, the XSS code appears in the URL, and finally the input is submitted to the server. After the server parses the response, the XSS code appears in the response content, and finally the browser parses and executes.

This process is like a reflection, so it is named reflective XSS

Xss.php# submission / xss.php?x=alert (1)

When the server resolves the expression, echo outputs alert (1) to the response body, and then the browser parses and executes the trigger pop-up window.

Stored (persistent) XSS

The only difference between a stored XSS and a reflective XSS is that the submitted XSS code is stored on the server (whether it's database / memory / file system, etc.), and the next time you request the target page, you don't have to submit the XSS code.

The most typical example is the message board XSS, where the user submits a message containing the XSS code for storage in the database, and the target user checks the message board. The message content will be checked from the database and displayed. When the browser finds that there is a XSS code, it is executed as normal HTML and JS parsing, so XSS*** is triggered.

The storage XSS is the most hidden.

# eg: http://www.nfpeople.com/user.php?id=21839

How to use XSS

Payload (valid * * code)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Code user reflection service browse input content list data database server browser defense message board target acronym script procedure page valid vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple MariaDB Shulou Information Shulou Tech Info Microsoft Linux Xiaomi Huawei OPPO Reno macOS Apple Shulou Technology vpn MySQL NVidia Docker Redmi MariaDB Shulou Information Shulou Tech Info Microsoft Linux Xiaomi Huawei OPPO Reno macOS Apple Shulou Technology vpn MySQL NVidia Docker Redmi

Share To

Related

Network Security

More Network Security >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report