XSS is also called CSS, and the full name is Cross-site script. Cross-site scripting attack. It is named XSS to distinguish it from CSS cascading style sheets. It is a common vulnerability in Web programs. .
Principle:
The attacker enters malicious HTML code into a website with XSS vulnerabilities. When other users browse the website, the HTML code will be automatically executed, thereby achieving The purpose of the attack is to steal the user's cookies, destroy the page structure, redirect to other websites, etc.
For example: The comment function of a forum does not filter XSS, then we can comment on it, the comment is as follows:
<script> while(true) { alert('你关不掉我'); } </script>
In the published comment, the content text containing JS, At this time, if the server does not filter or escape these scripts and publish them as content on the page, other users will run this script when they visit this page.
This is just a simple example. A malicious person can modify the above code into malicious code and steal your cookies or other information.
XSS Type:
Generally can be divided into: Persistent XSS and non-persistent XSS
1. Persistent XSS is a script that attacks the client and is implanted into the server. As a result, every user with normal access will be attacked by this XSS script. (Such as the above-mentioned message comment function)
2. Non-persistent XSS is to make a fuss about a certain parameter in the URL of a page, wrap a carefully constructed malicious script in the URL parameter, and then add this Publish the URL online to deceive users into accessing it, thereby conducting attacks. The security threat of non-persistent XSS is relatively small, because as long as the server adjusts the business code for filtering, the URL carefully constructed by the hacker will instantly become invalid. In contrast, persistent XSS attacks have great impact. Sometimes the server needs to delete several tables and query many libraries to delete the data of the malicious code.
Recommended tutorial:
Web server securityThe above is the detailed content of What is the principle of XSS attack. For more information, please follow other related articles on the PHP Chinese website!