Cross-site scripting là gì

Author: KirstenS Contributor(s): Jim Manico, Jeff Williams, Dave Wichers, Adar Weidman, Roman, Alan Jex, Andrew Smith, Jeff Knutson, Imifos, Erez Yalon, kingthorin, Vikas Khanna. Grant Ongers


Cross-Site Scripting (XSS) attacks are a type of injection, in whichmalicious scripts are injected into otherwise benign and trustedwebsites. XSS attacks occur when an attacker uses a web application tosend malicious code, generally in the size of a browser side script, toa different over user. Flaws that allow these attacks to succeed arequite widespread and occur anywhere a web application uses input đầu vào from auser within the đầu ra it generates without validating or encoding it.

Bạn đang xem: Cross-site scripting là gì

An attacker can use XSS khổng lồ send a malicious script to lớn an unsuspectinguser. The end user’s browser has no way to know that the script shouldnot be trusted, và will execute the script. Because it thinks thescript came from a trusted source, the malicious script can access anycookies, session tokens, or other sensitive information retained by thebrowser & used with that site. These scripts can even rewrite thecontent of the HTML page. For more details on the different types of XSSflaws, see: Types of Cross-Site Scripting.

Related Security Activities

How to Avoid Cross-site scripting Vulnerabilities

How to reviews Code for Cross-site scripting Vulnerabilities

See the Code đánh giá Guide.

How to kiểm tra for Cross-site scripting Vulnerabilities

See the latest Testing Guide article on how totest for the various kinds of XSS vulnerabilities.


Cross-Site Scripting (XSS) attacks occur when:

Data enters a website application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to lớn a web user without being validated for malicious content.

The malicious nội dung sent to the web browser often takes the form of asegment of JavaScript, but may also include HTML, Flash, or any othertype of code that the browser may execute. The variety of attacks basedon XSS is almost limitless, but they commonly include transmittingprivate data, lượt thích cookies or other session information, to lớn theattacker, redirecting the victim to web nội dung controlled by theattacker, or performing other malicious operations on the user’s machineunder the guise of the vulnerable site.

Reflected and Stored XSS Attacks

XSS attacks can generally be categorized into two categories: reflected và stored. There is a third, much less well-known type of XSS attackcalled DOM Based XSS that is discussedseparately here.

Reflected XSS Attacks

Reflected attacks are those where the injected script is reflected offthe website server, such as in an error message, tìm kiếm result, or any otherresponse that includes some or all of the input đầu vào sent to lớn the hệ thống aspart of the request. Reflected attacks are delivered lớn victims viaanother route, such as in an e-mail message, or on some other website.When a user is tricked into clicking on a malicious link, submitting aspecially crafted form, or even just browsing to lớn a malicious site, theinjected code travels khổng lồ the vulnerable web site, which reflects theattack back to the user’s browser. The browser then executes the codebecause it came from a “trusted” server. Reflected XSS is also sometimesreferred lớn as Non-Persistent or Type-I XSS (the attack is carried out through a single request / response cycle).

Stored XSS Attacks

Stored attacks are those where the injected script is permanently storedon the target servers, such as in a database, in a message forum,visitor log, bình luận field, etc. The victim then retrieves the maliciousscript from the hệ thống when it requests the stored information. StoredXSS is also sometimes referred lớn as Persistent or Type-II XSS.

Xem thêm: 2 Cách Thêm Ứng Dụng Vào Startup, Cách Thêm Chương Trình Khởi Động Cùng Windows 10

Blind Cross-site Scripting

Blind Cross-site Scripting is a form of persistent XSS. It generally occurs when the attacker’s payload saved on the server and reflected back lớn the victim from the backend application. For example in feedback forms, an attacker can submit the malicious payload using the form, và once the backend user/admin of the application will open the attacker’s submitted khung via the backend application, the attacker’s payload will get executed. Blind Cross-site Scripting is hard khổng lồ confirm in the real-world scenario but one of the best tools for this is XSS Hunter.

Other Types of XSS Vulnerabilities

In addition to lớn Stored và Reflected XSS, another type of XSS, DOM BasedXSS was identified by Amit Kleinin 2005. hoidapthutuchaiquan.vnrecommends the XSS categorization as described in the Article:Types of Cross-Site Scripting, which covers allthese XSS terms, organizing them into a matrix of Stored vs. ReflectedXSS and Server vs. Client XSS, where DOM Based XSS is a subset of ClientXSS.

XSS Attack Consequences

The consequence of an XSS attack is the same regardless of whether it isstored or reflected (or DOM Based). Thedifference is in how the payload arrives at the server. Bởi not be fooledinto thinking that a “read-only” or “brochureware” site is notvulnerable to serious reflected XSS attacks. XSS can cause a variety ofproblems for the end user that range in severity from an annoyance tocomplete account compromise. The most severe XSS attacks involvedisclosure of the user’s session cookie, allowing an attacker khổng lồ hijackthe user’s session và take over the account. Other damaging attacksinclude the disclosure of kết thúc user files, installation of Trojan horseprograms, redirecting the user to lớn some other page or site, or modifyingpresentation of content. An XSS vulnerability allowing an attacker tomodify a press release or news tác phẩm could affect a company’s stock priceor lessen consumer confidence. An XSS vulnerability on a pharmaceuticalsite could allow an attacker lớn modify dosage information resulting inan overdose. For more information on these types of attacks seeContent_Spoofing.

How khổng lồ Determine If You Are Vulnerable

XSS flaws can be difficult to identify and remove from a webapplication. The best way to lớn find flaws is to perform a security reviewof the code and tìm kiếm for all places where đầu vào from an HTTP requestcould possibly make its way into the HTML output. Lưu ý that a variety ofdifferent HTML tags can be used lớn transmit a malicious JavaScript.Nessus, Nikto, & some other available tools can help scan a websitefor these flaws, but can only scratch the surface. If one part of awebsite is vulnerable, there is a high likelihood that there are otherproblems as well.

How lớn Protect Yourself

The primary defenses against XSS are described in the XSS Prevention CheatSheet.

Also, it’s crucial that you turn off HTTP TRACE tư vấn on all webservers. An attacker can steal cookie data via Javascript even whendocument.cookie is disabled or not supported by the client. This attackis mounted when a user posts a malicious script to a forum so whenanother user clicks the link, an asynchronous HTTP Trace điện thoại tư vấn istriggered which collects the user’s cookie information from the server,and then sends it over lớn another malicious vps that collects thecookie information so the attacker can mount a session hijack attack.This is easily mitigated by removing support for HTTP TRACE on all webservers.

The ESAPI project has produced a set ofreusable security components in several languages, including validationand escaping routines khổng lồ prevent parameter tampering and the injectionof XSS attacks. In addition, the WebGoat Project trainingapplication has lessons on Cross-Site Scripting và data encoding.

Alternate XSS Syntax

XSS Using Script in Attributes

XSS attacks may be conducted without using tags. Other tags will vì chưng exactly the same thing, for example: or other attributes like: onmouseover, onerror.

Xem thêm: Lễ Hội Mardi Gras Là Gì - Màu Sắc Lễ Hội Mardi Gras Ở New Orleans


click me!



XSS Using Script Via Encoded URI Schemes

There are many different UTF-8 encoding notations that give us even morepossibilities.

XSS Using Code Encoding

We may encode our script in base64 & place it in META tag. This way weget rid of alert() totally. More information about this method can befound in RFC 2397