XSS, also known as CSS (Cross Site Script), is a Cross-Site scripting attack. A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web page is executed, this achieves the Special Purpose of malicious attacks to users. XSS is a passive attack, because it is passive and difficult to use, so many people often ignore its dangers.
A malicious attacker inserts malicious html code into a Web page. When a user browses this page, the html code embedded in the Web is executed to achieve the special purpose of a malicious user.
Introduction: Many web developers think security is insignificant. Security is often the last place in the software development lifecycle, and sometimes even later. Sometimes software security is completely ignored, resulting in common holes in the application. Under the current conditions, such bugs can only be displayed when they are under attack. Therefore, if you do not have any knowledge about the development process, it is difficult to check the issue before it occurs. Using jQuery Mobile, PHP, and MySQL to build web applications, this tutorial shows how many types of vulnerabilities are associated with common development methods. The most important thing is that they provide their respective countermeasures.
XSS vulnerabilities are classified into persistent and non-persistent types:
1. The non-persistent XSS vulnerability is generally found in URL parameters. You need to access a specific URL constructed by a hacker to trigger the vulnerability.
2. The persistent XSS vulnerability usually exists in rich text and other interactive functions, such as posting and leaving messages. The XSS content used by hackers enters the database through normal functions for persistent storage.
3. dom xss vulnerabilities can also be classified into persistent and non-persistent types. They are mostly caused by obtaining the address bar, referer, or encoding the specified HTML Tag content through the javascript DOM interface.
4. Special XSS vulnerabilities caused by FLASH, PDF, and other third-party files are also divided into persistent and non-persistent types based on application functions.
Reflected XSS: When the request data is not encoded or filtered in the response, the reflected XSS occurs. With the help of social engineering, attackers can trick users into accessing the page that creates such a request, that is, attackers can execute JavaScript in the target user context. What this change can do depends on the nature of the vulnerability, but XSS is generally used to hijack sessions, steal creden。, or perform unauthorized operations.
Persistent type: a persistent type of threat is generally greater than a reflected type. XSS is considered a persistent type when the server submits a request data service for the user. Because malicious data is persistent in applications, it can be exploited based on different vulnerabilities, which makes the social engineering aspects of attacks easier and even completely eliminated.