Full name: Cross Site Script (XSS)
In order to distinguish and cascading style sheets css, will be abbreviated as XSS Cross Site Scripting
Hazard: steal user information, phishing, worms and other manufacturing
Concept: HTML injection by hackers tampering with web pages, insert malicious script, so that when users browse the Web, realize an attack to control the browser's behavior;
XSS hackers can use to steal the user's cookie, with the user's cookie, you can be normal access to the site as a user;
XSS client code belonging injection, JavaScript code for the normal injection. Different from the access command, SQL injection terminal belonging to a service code injection; XSS The different effects can be divided into storage-type XSS, radiation type XSS, DOM XSS type;
Storage type
Attack code in the service weapon end (database), output at http response
When the more common scenario, the hacker wrote a malicious JavaScript code contains blog posts, after the article was published, all users access to the blog, will execute this malicious js code in their browser;
Reflective
Attack code in the URL, http output in response. Hackers often need to convince a user to click on a malicious link to attack successfully;
1, a user logs
2, the attacker will be ready to submit himself to a user's URL
3, the user request URL of the attacker
4, JS attacker's server object to respond to the user
5, JS attacker executed in a user's browser
6, the user's browser sends the session token to the attacker
7, attackers hijack user sessions
DOM type
In effect, it is also reflective XSS
Attack code in the URL, the output nodes in the DOM
To manually play again in order to better learning; learning to https://blog.csdn.net/extremebingo/article/details/81176394