https://en.wikipedia.org/wiki/Cross-site_scripting

Definition

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.

XSS enables attackers to inject client-side scripts into web pages viewed by other users.

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1]

Bug bounty company HackerOne in 2017 reported that XSS is still a major threat vector.[2]

XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

Types

There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent.

Some sources further divide these two groups into traditional (caused by server-side code flaws) and DOM-based (in client-side code).

Non-persistent (reflected)

Persistent (or stored)

Server-side versus DOM-based vulnerabilities

Self-XSS

Mutated XSS (mXSS)

Example

https://www.owasp.org/images/2/22/20110412-aspnet_viewstate_security-alexandre.pdf

Cross-site scripting(XSS)的更多相关文章

  1. WebGoat学习——跨站脚本攻击(Cross‐Site Scripting (XSS))

    跨站脚本攻击(Cross‐Site Scripting (XSS)) XSS(Cross Site Script)跨站脚本攻击.是指攻击者向被攻击Web 页面里插入恶意html代码,当用户浏览该页之时 ...

  2. 跨站脚本攻击(Cross‐Site Scripting (XSS))

    跨站脚本攻击(Cross‐Site Scripting (XSS)) 跨站脚本攻击(Cross‐Site Scripting (XSS)) XSS(Cross Site Script)跨站脚本攻击.是 ...

  3. 跨站脚本攻击(Cross‐Site Scripting (XSS))实践

    作者发现博客园在首页显示摘要时未做html标签的过滤,致使摘要中的html代码可以被执行,从而可以注入任何想要被执行的js代码,作者利用这一缺陷在本文摘要中插入了一段js代码执行alert弹窗,同时增 ...

  4. XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)

    本文是 XSS防御检查单的翻译版本 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sh ...

  5. Web安全之XSS(Cross Site Scripting)深入理解

    XSS的含义 XSS(Cross Site Scripting)即跨站脚本.跨站的主要内容是在脚本上. 跨站脚本 跨站脚本的跨,体现了浏览器的特性,可以跨域.所以也就给远程代码或者第三方域上的代码提供 ...

  6. XSS 跨站脚本攻击(Cross Site Scripting)

    xss表示Cross Site Scripting(跨站脚本攻击),它与SQL注入攻击类似,SQL注入攻击中以SQL语句作为用户输入,从而达到查询/修改/删除数据的目的,而在xss攻击中,通过插入恶意 ...

  7. Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting

    Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scriptin ...

  8. 跨站脚本攻击XXS(Cross Site Scripting)修复方案

    今天突然发现,网站被主页莫名奇妙的出现了陌生的广告. 通过排查发现是跨站脚本攻击XXS(Cross Site Scripting).以下为解决方案. 漏洞类型: Cross Site Scriptin ...

  9. WordPress Duplicator 0.4.4 Cross Site Scripting

    测试方法: 提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! Advisory ID: HTB23162 Product:DuplicatorWordPressPlugin Vend ...

  10. DVWA 黑客攻防演练(十)反射型 XSS 攻击 Reflected Cross Site Scripting

    XSS (Cross-site scripting) 攻击,为和 CSS 有所区分,所以叫 XSS.又是一种防不胜防的攻击,应该算是一种 "HTML注入攻击",原本开发者想的是显示 ...

随机推荐

  1. 关于Spring Cloud Feign的一些记录!

    学习Spring Cloud Feign过程中,相关资料都会反复强调:微服务调用的话(@FeignClient)  客户端方法的返回值和服务端方法的返回值还有方法名之类的都是要求一致的! 关于方法名是 ...

  2. Python爬虫笔记【一】模拟用户访问之设置请求头 (1)

    学习的课本为<python网络数据采集>,大部分代码来此此书. 网络爬虫爬取数据首先就是要有爬取的权限,没有爬取的权限再好的代码也不能运行.所以首先要伪装自己的爬虫,让爬虫不像爬虫而是像人 ...

  3. 【CF932E】Team Work

    题目 luogu的Romtejudge挂了我就当我过了吧 求 \[\sum_{i=1}^n\binom{n}{i}i^k\] 其实是个思博套路题,但是我现在这个水平还是刷刷板子吧 处理\(x^k\)是 ...

  4. 轻量级IoC框架Ninject.NET搭建

    说在之前的话 IOC的概念相信大家比较熟悉了,习惯性称之为依赖注入或控制反转,园子里对基于MVC平台IOC设计模式已经相当多了,但大家都只知道应该怎么应用一个IOC模式,比如Ninject, Unit ...

  5. 23-css补充

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  6. springboot2 +thymeleaf

    springboot 1.5. 9+ thymeleaf <!--sidebar--> <nav class="col-md-2 d-none d-md-block bg- ...

  7. jiba中文分词原理

    中文分词就是将一个汉字序列分成一个一个单独的词. 现有的分词算法有三大类: 基于字符串匹配的分词:机械分词方法,它是按照一定的策略将待分析的字符串与一个充分大的机器词典中的词条进行匹配,若在词典中找到 ...

  8. Linux CentOS6.5安装Nginx1.8.0

    一. 安装nginx 1. 准备1.8.0安装包 nginx-1.8.0.tar.gz 2. 安装第三方依赖 yum install gcc-c++ yum install -y pcre pcre- ...

  9. git add命令后出现Another git process seems to be running in this repositor...错误提示

    问题原因 在控制台使用git命令操作时,使用了 git commit 进入了commit信息书写页面,大多数人因为不太熟悉vim的操作导致不知怎么结束编写,就进行了直接关闭控制台的操作,但是此时git ...

  10. DB-SQLServer:SQLServer

    ylbtech--DB-SQLServer:SQLServer SQL是英文Structured Query Language的缩写,意思为结构化查询语言.SQL语言的主要功能就是同各种数据库建立联系 ...