4.2.1. Classification¶

4.2.1.1. Introduction¶

The full name of XSS is Cross Site Scripting. In order to separate it from CSS, it is abbreviated as XSS, and the Chinese name is Cross Site Scripting. The vulnerability occurs on the user side and refers to JavaScript code execution that is not expected during the rendering process. XSS is often used to obtain cookies, act as an attacker, and so on.

4.2.1.2. Reflected XSS¶

Reflected XSS is a relatively common and extensive category. For example, when the code of a website contains a statement similar to the following: <?php echo "<p>hello, $_GET['user']</p>";?>, when access this website set /?user=</p><script>alert("hack")</script><p> , then the preset JavaScript code can be executed.

Reflected XSS usually appears in functions such as search. It needs to be triggered by the attacker clicking on the corresponding link, and is greatly affected by defense methods such as XSS Auditor and NoScript.

4.2.1.3. Stored XSS¶

Stored XSS is more harmful than reflected XSS. In this vulnerability, the attacker can store the attack payload in the server’s database, resulting in persistent attacks.

4.2.1.4. DOM XSS¶

The difference between DOM-type XSS is that DOM-type XSS is generally not directly related to the parsing response of the server, but is generated during the dynamic execution of JavaScript scripts.

example:

<html>
<head>
<title>DOM Based XSS Demo</title>
<script>
function xsstest()
{
    var str = document.getElementById("input").value;
    document.getElementById("output").innerHTML = "<img src='"+str+"'></img>";
}
</script>
</head>
<body>
<div id="output"></div>
<input type="text" id="input" size=50 value="" />
<input type="button" value="submit" onclick="xsstest()" />
</body>
</html>

Input x' onerror='javascript:alert(/xss/) can trigger。

4.2.1. Classification¶

4.2.1.1. Introduction¶

4.2.1.2. Reflected XSS¶

4.2.1.3. Stored XSS¶

4.2.1.4. DOM XSS¶

4.2.1.5. Blind XSS¶