What is an XSS attack, what are the types, and how to defend against it?

1. Phishing, including stealing all kinds of users;

2. Steal user cookie information, so as to obtain user privacy information, or use the user's identity to further perform operations on **;

3. Hijacking user (browser) sessions to perform arbitrary operations, such as making illegal transfers, forcibly publishing logs, sending emails, etc.;

4. Forced pop-up of advertising pages, swiping traffic, etc.;

5. Malicious operations such as arbitrarily tampering with page information, deleting articles, etc.;

6. Carry out a large number of client-side attacks, such as DDoS attacks;

7. Obtain client information, such as the user's browsing history, real IP, open port, etc.;

8. Control the victim's machine to launch attacks on other **;

9. Combined with other vulnerabilities, such as CSRF vulnerabilities, to carry out further evil;

10. Enhance user permissions, including further infiltration**;

11. Spread cross-site scripting worms, etc.

With the ability to inject ** into the resulting web pages, you can have as serious a threat as you can think of. Attackers can use XSS exploits to steal cookies, hijack accounts, execute ActiveX, execute Flash content, force you into software, or take action on hard drives and data.

This is possible as long as you click on some URLs. How many times a day do you click on a URL of a trusted email message from a message board or newsgroup when reading it?

Phishing attacks often exploit XSS vulnerabilities to dress up as legitimate sites. You can see a lot of this, such as your bank sending you an email informing you that some changes have been made to your account and tricking you to click on certain hyperlinks. If you look closely at these URLs, they may actually exploit a vulnerability present in the bank**, in a form similar to the "redirect" parameter that is exploited here to execute the attack.

Once an administrator opens the URL, they can perform many malicious actions, such as stealing his (or her) credentials.

Filter for ** containing js, there are such files on the Internet.

Let's construct a backup cross-site statement as follows:

Or construct a cross-site statement and use an iframe to open a 0 size.

When the administrator opens it, it will automatically back up a shellFrom the above example, we can know that how to spoof management opening is a very important step, for spoofing opening, in addition to social engineering, we can combine other techniques, such as SQL injectionWhen we infiltrate a **, the master MSSQL injection vulnerability, the authority is public, at this time we use update to construct a cross-site statement, such as using an iframe to open a backup above to get the shell cross-site statement, etc., similarly, we can use other cross-site vulnerabilities of QQ and so on in social engineering.

Always for deception is also an art, how to use it, everyone use their imagination!

A good deception is also an art, both in life and in the network. It is inevitable that there are some things in life that cannot be told the truth, and at this time, it is up to the art of deception to adopt appropriate methods to make our falsehoods be told as the truth.

XSS attacks, also known as cross-site scripting, focus not on cross-site scripting, but on script execution. XSS is a computer security vulnerability that often appears in web applications and is caused by the web application's insufficient filtering of the user's input, which allows malicious web users to implant ** into pages made available to other users.

Here's a detailed introduction to learn about it.

XSS is also known as CSS

crosssite

script)

Cross-site scripting attacks. It refers to the malicious attacker inserting malicious HTML** into the web page, and when the user browses the page, the HTML** embedded in the web will be executed, so as to achieve the special purpose of the malicious user. XSS is a passive attack, because it is passive and difficult to use, so many people often call it harmful.

XSS attacks usually refer to hackers getting through"HTML injection"An attack that tamperes with a web page and inserts a malicious script to take control of the user's browser while they browse the web.