A: XSS cross site scripting attack
(1) malicious attacker to insert malicious code (html tags, javascript code) to WBE page, allowing users to browse the Web, html malicious code is executed, so as to achieve steal the user's cookie information, session hijacking and other acts.
(2) Category
1.DOM xss: text object model that allows direct DOM content, structure and style of programs and scripts to dynamically access and update the document. Server does not need to parse directly involved in the response, triggered by a XSS DOM parsing browser, you can think that this is entirely browser thing.
2. reflective xss: reflective XSS also known as non-persistent XSS, is an XSS vulnerability is now most likely to occur. A request is made, XSS code appears in the URL, enter the last submitted to the server, the server parses this XSS code appears in the content of the response, the browser parses the last execution.
3. Storage type xss: storage type XSS also known as persistent XSS, he is the most dangerous kind of cross-site scripting attacks, compared to reflective XSS and DOM XSS type has a higher hidden, so great harm, he does not require the user to manually triggered when an attacker submits a period of XSS code is received and stored by the server when all browser visits a page will be XSS, one of the most typical example is the message board.
(3) Hazard
1. The use of false entry form to steal user information
2. Use a script to steal the user's cookie value.
(4) defense
1. Set the HttpOnly attribute in the cookie, the cookie js script can not read the information. (Set in the background)
2. Avoid using eval execution string
3. Expression validation input through the line, the filter tag, as well as the escape character.