1. What are the types of XSS?
According to the source of the attack, XSS attacks can be divided into three types: storage, reflection, and DOM
- Storage area: the location where the malicious code is stored.
- Insertion point: Who gets the malicious code and inserts it on the webpage.
1. Stored XSS
Steps to attack stored XSS:
- The attacker submits the malicious code to the database of the target website.
- When the user opens the target website, the website server takes out the malicious code from the database, splices it in HTML and returns it to the browser.
- The user browser parses and executes the response after receiving the response, and the malicious code mixed in it is also executed.
- The malicious code steals user data and sends it to the attacker's website, or pretends to be a user, calling the target website interface to perform the attacker's specified operation.
This type of attack is common in website functions with user-saved data, such as forum posts, product reviews, and user private messages.
2. Reflective XSS
Reflected XSS attack steps:
- The attacker constructs a special URL that contains malicious code.
- When a user opens a URL with malicious code, the website server will extract the malicious code from the URL, splice it in HTML and return it to the browser.
- After the user's browser receives the response, it parses and executes, and the malicious code mixed in it is also executed.
- The malicious code steals user data and sends it to the attacker's website, or pretends to be the user's behavior, calling the target website interface to perform the operation specified by the attacker.
The difference between reflective XSS and stored XSS is that the malicious code of the stored XSS exists in the database, and the malicious code of the reflective XSS has the URL.
Reflective XSS vulnerabilities often lie in functions that pass parameters through URLs, such as website search and redirection.
Since users are required to actively open malicious URLs to be effective, attackers often combine a variety of scripts to induce users to click.
The content of POST can also trigger reflective XSS, but its trigger conditions are more demanding (the form submission page needs to be constructed and the user is guided to click), so it is very rare.
3. DOM type XSS
DOM-type XSS attack steps:
- The attacker constructs a special URL that contains malicious code.
- The user opens the URL with malicious code.
- The user browser parses and executes the response after receiving the response, and the front-end JavaScript takes out the malicious code in the URL and executes it.
- The malicious code steals user data and sends it to the attacker's website, or pretends to be the user's behavior, calling the target website interface to perform the operation specified by the attacker.
The difference between DOM-type XSS and the previous two types of XSS: In DOM-type XSS attacks, the removal and execution of malicious code is done by the browser, which is a security vulnerability of the front-end JavaScript itself, while the other two XSS are security vulnerabilities of the server.