Description about xss payload and literacy

0x01 for constructing get and post requests, all operations on the web can be completed as long as you have get or post requests. As mentioned in this http protocol, for the rooster side, allows the browser to send requests using javascript

Var img = document. createElement ("img"); img. src = "http: // xxxxxxxx" document. body. appendChild (img );

 

Anyone who has learned javascript knows that this is a get request initiated through images. If you want to delete a talk or personalized signature on an sns instance, that is, after the url is followed by parameters (such as delete & id = xxx), execute this js Code (xss payload) to add or delete the function. Write another post

Var dd = document. createElement ("div"); document. body. appendChild (dd ); ddinnerHTML = '<form action = "" method = "post" id = "xss ***" name = "mbform">' + '<input type = "hidden" value = "***" name = "***"/> '+' <input type = "text" value = "test" name = "mb_text"/> '+' </form> 'document. getElementById ("xss ***"). submit ();

Er... This is a post request submitted by a form that I am writing in yy. the result after execution is probably to submit and add an article or publish a message like a signature. Therefore, xss does not only hijack cookie sessions, but can directly operate on the front-end if you cannot log on to the background (for example, set http only) to achieve your purpose, adding or deleting messages is only one of them. Others can also read user data and obtain the real ip address of the target machine. Write it here for the time being, and sort out the next content of the article as soon as possible.
Next article: http://www.bkjia.com/Article/201305/215715.html