https://en.wikipedia.org/wiki/Cross-site_scripting

Definition

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.

XSS enables attackers to inject client-side scripts into web pages viewed by other users.

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1]

Bug bounty company HackerOne in 2017 reported that XSS is still a major threat vector.[2]

XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

Types

There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent.

Some sources further divide these two groups into traditional (caused by server-side code flaws) and DOM-based (in client-side code).

Non-persistent (reflected)

Persistent (or stored)

Server-side versus DOM-based vulnerabilities

Self-XSS

Mutated XSS (mXSS)

Example

https://www.owasp.org/images/2/22/20110412-aspnet_viewstate_security-alexandre.pdf

Cross-site scripting(XSS)的更多相关文章

  1. WebGoat学习——跨站脚本攻击(Cross‐Site Scripting (XSS))

    跨站脚本攻击(Cross‐Site Scripting (XSS)) XSS(Cross Site Script)跨站脚本攻击.是指攻击者向被攻击Web 页面里插入恶意html代码,当用户浏览该页之时 ...

  2. 跨站脚本攻击(Cross‐Site Scripting (XSS))

    跨站脚本攻击(Cross‐Site Scripting (XSS)) 跨站脚本攻击(Cross‐Site Scripting (XSS)) XSS(Cross Site Script)跨站脚本攻击.是 ...

  3. 跨站脚本攻击(Cross‐Site Scripting (XSS))实践

    作者发现博客园在首页显示摘要时未做html标签的过滤,致使摘要中的html代码可以被执行,从而可以注入任何想要被执行的js代码,作者利用这一缺陷在本文摘要中插入了一段js代码执行alert弹窗,同时增 ...

  4. XSS (Cross Site Scripting) Prevention Cheat Sheet(XSS防护检查单)

    本文是 XSS防御检查单的翻译版本 https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sh ...

  5. Web安全之XSS(Cross Site Scripting)深入理解

    XSS的含义 XSS(Cross Site Scripting)即跨站脚本.跨站的主要内容是在脚本上. 跨站脚本 跨站脚本的跨,体现了浏览器的特性,可以跨域.所以也就给远程代码或者第三方域上的代码提供 ...

  6. XSS 跨站脚本攻击(Cross Site Scripting)

    xss表示Cross Site Scripting(跨站脚本攻击),它与SQL注入攻击类似,SQL注入攻击中以SQL语句作为用户输入,从而达到查询/修改/删除数据的目的,而在xss攻击中,通过插入恶意 ...

  7. Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting

    Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scriptin ...

  8. 跨站脚本攻击XXS(Cross Site Scripting)修复方案

    今天突然发现,网站被主页莫名奇妙的出现了陌生的广告. 通过排查发现是跨站脚本攻击XXS(Cross Site Scripting).以下为解决方案. 漏洞类型: Cross Site Scriptin ...

  9. WordPress Duplicator 0.4.4 Cross Site Scripting

    测试方法: 提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! Advisory ID: HTB23162 Product:DuplicatorWordPressPlugin Vend ...

  10. DVWA 黑客攻防演练(十)反射型 XSS 攻击 Reflected Cross Site Scripting

    XSS (Cross-site scripting) 攻击,为和 CSS 有所区分,所以叫 XSS.又是一种防不胜防的攻击,应该算是一种 "HTML注入攻击",原本开发者想的是显示 ...

随机推荐

  1. 03jQuery对象初识(二)筛选器2

    1.下面的筛选都是非常常用的 <ul> <li id="l0">l0</li> <li>l1</li> <li&g ...

  2. DevOps理论+实践之路

    DevOps理论+实践之路  整个课程都看完了,这个课程的分享可以往下看,下面有链接,之前做java开发也做了一些年头,也分享下自己看这个视频的感受,单论单个知识点课程本身没问题,大家看的时候可以关注 ...

  3. AppScan的基础使用

    AppScan是用于Web项目的安全测试工具,扫描网站所有url,自动测试是否存在各种类型的漏洞.AppScan安装在Windows环境上,版本越高,规则库越安全,扫描越全面.   1. 打开AppS ...

  4. MySQL模拟Oracle序列使用

    https://www.runoob.com/mysql/mysql-using-sequences.html   一篇笔记开始看 注意:创建序列表时一定要有 主键id自增,否则为只读状态不能修改递增 ...

  5. Leetcode95. Unique Binary Search Trees II不同的二叉搜索树2

    给定一个整数 n,生成所有由 1 ... n 为节点所组成的二叉搜索树. 示例: 输入: 3 输出: [   [1,null,3,2],   [3,2,null,1],   [3,1,null,nul ...

  6. centos的yum配置

    什么是yum ?yum,是Yellow dog Updater Modified的简称,起初是由yellow dog这一发行版的开发者Terra Soft研发,用python写成,那时还叫做yup(y ...

  7. lc6 ZigZag Conversion

    lc6 ZigZag Conversion 分成两步, 第一步垂直向下, 1 1 1 1 第二步倾斜向上 1 1 1 1 1 1 1 用nRows个StringBuilder 然后将他们合并即可 cl ...

  8. [转载] OpenCV2.4.3 CheatSheet学习(二)

    二.矩阵操作(拷贝.洗牌.局部访问): src.copyTo(dst) 把src矩阵中的数据拷贝到dst. src.convertTo(dst, type,scale, shift) 缩放并转换到另外 ...

  9. oracle pl/sql远程连接过程

    之前没用过oracle,现在公司用到就记录下安装过程吧.安装PL/SQL工具,安装oracle11G工具.打开PL/SQL 进行配置.

  10. 嘴巴题1 LA2531 足球联赛

    LA2531 足球联赛 题目: 有n只队伍打比赛,给出每只队目前获胜和失败的场数,再给出两两队伍接下来的比赛场次,问你哪些队伍可能的冠军 (题面摘自http://blog.csdn.net/s_h_r ...