On XSS

Others 2019-09-23 01:11:36 views: null

 On XSS

 XSS attacks usually refers to the left when developed through the use of web vulnerabilities by injecting malicious code into the pages of instructions through clever way to enable users to load and execute web application attacks by malicious fabrication. These programs are usually malicious Web pages JavaScript, but in fact can also include Java, VBScript, ActiveX, Flash or even plain HTML. After the successful attack, the attacker could get including but not limited to higher authority (such as the implementation of some operations), private web page content, session and cookie and other content.

principle:

  HTML is an HTML, by special treat some characters to distinguish between text and numerals, for example, less than symbols (<) is seen as the beginning of the HTML tags, the characters between the <title> and </ title> It is the title of the page, and so on. When inserted in a dynamic page content that contain these special characters (such as <), the user's browser will be mistaken for the insertion of HTML tags, HTML tags when these introduced when a piece of JavaScript scripts in the user program will the browser execution. So, when these special characters can not be a mistake dynamic page to check or inspection, it will have a XSS vulnerability.

Features:

  Compared with phishing attacks, XSS attacks brought greater harm, usually has the following characteristics:

① As XSS attacks against the user's current application in use, the user will see with their personalized information, such as account information or "welcome back" message, clone Web site does not display personalized information.

② commonly used in the phishing Web site cloned once discovered, it will be shut down immediately.

③ Many browsers and security software products have built-in phishing filter, you can prevent users from accessing malicious cloning site.

④ If the customer access to a clone of online banking Web sites, banks generally do not take responsibility. However, if the attacker attacked banking customers through the bank application XSS vulnerability, the bank will not simply pass the buck.

 

Types of:

  From the attack code works can be divided into three types:

(1) Durable Cross Station: the most direct type of hazard, cross site code is stored in the server (database).

(2) non-persistent cross-site type: reflective cross-site scripting vulnerabilities, the most common type. Users access the server - Cross-site links - return cross site code.

Security issues DOM (document object model Document Object Model), client-side script processing logic due to: (3) DOM Cross Site (DOM XSS).

DOM-based XSS vulnerability refers to the victim side web scripting is not reasonable disposal when modifying a local page DOM environment, and makes the attack a script is executed. The reason throughout the course of the attack, the page server response has not changed, causing differences in client script execution result of malicious tampering DOM for local use.

 

Attack:

  Common XSS attacks and purposes are:

1, theft cookie, access to sensitive information.

2, the Flash implantation using, for further higher authority by crossdomain permissions; Java, or the like obtained using a similar operation.

3, using iframe, frame, XMLHttpRequest or said Flash like manner, the identity (attack) the user perform some management actions, or perform some general, such as micro-blog, add friends, send private messages and other operations.

4, the use of the domain can be attacked by other trusted domain characteristics, as a trusted source of request usually do not allow some operations, such as the improper conduct of voting.

5, XSS in some great views of the page can attack a number of small sites, to achieve the effect of DDoS attacks.

 

Source material: Baidu Encyclopedia

Reference material

  • 1. Su Peng. Attacks cross-site scripting attacks and XSS protection [J]. Electronic Science and Technology, 2014, (1)
  • 2. Peng Guojun, Fujian Ming, Liang ed . Software Security [M]. Wuhan: Wuhan University Press, 2015.09
  • Study 3. David Zhang, Xie Yonggang, Yang Yabiao such as XSS attack analysis and defense mechanisms [J]. Digital Technology and Application, 2012, (12)

Guess you like

Origin www.cnblogs.com/Aurstin/p/11568760.html
xss
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com