Cross-station script description
What is cross-station script (CSS / XSS)?
We said that the cross-station script refers to the malicious destination with malicious destination in the HTML code of the remote web page.
The page is trustworthy, but when the browser downloads the page, the script embedded in it will be interpreted,
Sometimes the cross-station script is called "XSS" because "CSS" is generally called a hierarchical style sheet, which is easy to be confused.
in case
You listen to someone mentioned CSS or XSS security vulnerability, usually refers to a cross-station script.
What is the difference between XSS and script injections?
The author of the original text was discussed with his friends (B0ILER), and it understood that not any can be used to implement attack.
Vulnerabilities are called XSS, and there is another attack mode: "script injection", their differences are below:
1. Script Injection Scripting Attack Saves the script we insert in the modified remote web page, such as
: SQL INJECTION, XPATH INJECTION.
2. The cross-station script is temporary and disappeared.
What type of script can be inserted into the remote page?
Mainstream scripts include the following:
HTML
JavaScript (discuss this article)
VBScript
ActiveX
Flash
What is the reason that causes a security vulnerability in XSS?
Many CGI / PHP scripts are executed, if it finds that the request page submitted does not exist or other types of errors,
The error message will be printed into an HTML file and send the error page to the visitor.
For example: 404 - YourFile.html Not Found!
We generally pay attention to such information, but now to study the causes of CSS vulnerabilities, we still look at it.
Example: www.somesite.tld / cgi-bin / program.cgi? Page = Downloads.html
The connection pointing to the URL is effective, but if we replace the back Downloads.html to BRAINRAWT_OWNS_
ME.html
, A page containing 404 - BrainRawt_owns_me.html not found! Information will be given feedback to the visitor's browsing
.
Consider how it is written in the HTML file?
OK, now we check the XSS vulnerability!
Note: The following is just an example, which exists XSS vulnerabilities, we can insert a written JavaScript code to the page
in. Of course a lot of methods
