发帖
扫码访问
 注册
 登录
首页 网络安全 安全学院 查看内容

Web安全测试基础一

2018-2-16 18:08 |来自: 互联网 5913 2

摘要: 跨站脚本攻击(XSS)概念:通常指黑客通过“HTML注入”篡改了网页,插入了恶意的脚本,从而在用户浏览网页时,实现控制用户浏览器行为的一种攻击方式。全称:Cross Site Script(本来缩写是CSS,但是为了和层叠样式 ...

跨站脚本攻击(XSS)

概念:通常指黑客通过“HTML注入”篡改了网页,插入了恶意的脚本,从而在用户浏览网页时,实现控制用户浏览器行为的一种攻击方式。

全称:Cross Site Script(本来缩写是CSS,但是为了和层叠样式表CSS有所区别,所以在安全领域叫做“XSS”)

危害:盗取用户信息、篡改页面钓鱼、制造蠕虫等。

XSS分类:存储型、反射型、DOM型

反射型XSS

反射型XSS只是简单地把用户输入的数据“反射”给浏览器。也就是说,黑客往往需要诱使用户“点击”一个恶意链接,才能攻击成功

如下,查询name信息,正常用户请求:

如果那name参数1修改成,则显示结果:

存储型XSS

如下,正常留言或者评论,显示如下:

如果将message信息写成,则显示

DOM XSS

基于DOM型的XSS是不需要与服务器端交互的,它只发生在客户端处理数据阶段。

下面一段经典的DOM型XSS示例。

上述代码的意思是获取URL中content参数的值,并且输出,如果输入http://www.xxx.com/dom.html?content=,就会产生XSS漏洞。

各种类型原理分析

, groupId: 6522659487302550030, itemId: 6522659487302550030, type: 1, subInfo: { isOriginal: false, source: 奶糖味的代言, time: 2018-02-15 14:10:06 }, tagInfo: { tags: [{"name":"黑客"},{"name":"HTML"},{"name":"脚本语言"},{"name":"CSS"},{"name":"蠕虫"}], groupId: 6522659487302550030, itemId: 6522659487302550030, repin: 0, }, has_extern_link: 0 }, commentInfo: { groupId: 6522659487302550030, itemId: 6522659487302550030, comments_count: 3, ban_comment: 0 }, mediaInfo: { uid: 5241776006, name: 奶糖味的代言, avatar: //p8.pstatp.com/large/5d3f001b95195620de1d, openUrl: /c/user/5241776006/, follow: false }, pgcInfo: {"media_info":{"open_url":"/c/user/5241776006/","avatar_url":"https://p8.pstatp.com/large/5d3f001b95195620de1d","media_id":1573509553085454,"name":"奶糖味的代言","user_verified":false},"articles":[{"item_id":"6522660171351589383","url":"/item/6522660171351589383","title":"Web安全测试基础三"},{"item_id":"6522659900844147207","url":"/item/6522659900844147207","title":"Web安全测试基础二"},{"item_id":"6522659487302550030","url":"/item/6522659487302550030","title":"Web安全测试基础一"},{"item_id":"6512758047650087432","url":"/item/6512758047650087432","title":"Windows最基本快捷键功能"}]}, feedInfo: { url: /api/pc/feed/, category: __all__, initList: [{"comments_count":17,"media_avatar_url":"//p1.pstatp.com/large/56920005fa0e36c449e1","is_feed_ad":false,"is_diversion_page":false,"title":"月薪10k的程序员都在用的高效工具","single_mode":true,"gallary_image_count":9,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6521495320751243789/","source":"疯狂的线程","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p9.pstatp.com/list/190x124/616a0003efcf33b248ec","group_id":"6521495320751243789","is_related":true,"media_url":"/c/user/85614562613/"},{"comments_count":11,"media_avatar_url":"//p1.pstatp.com/large/411001156b56afdc8ca","is_feed_ad":false,"is_diversion_page":false,"title":"Linux 系统启动过程","single_mode":true,"gallary_image_count":6,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520837982323212803/","source":"程序员小新人学习","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/61680000b3959081d9cc","group_id":"6520837982323212803","is_related":true,"media_url":"/c/user/6505875536/"},{"comments_count":6,"media_avatar_url":"//p3.pstatp.com/large/53e60001de89391b3803","is_feed_ad":false,"is_diversion_page":false,"title":"漫画:我也是靠身体和能力工作的!","single_mode":true,"gallary_image_count":8,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521951498358751747/","source":"滑稽漫画","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/61720000438db8eb7018","group_id":"6521951498358751747","is_related":true,"media_url":"/c/user/6057950609/"},{"comments_count":13,"media_avatar_url":"//p3.pstatp.com/large/568f0006013e96d2b37d","is_feed_ad":false,"is_diversion_page":false,"title":"HTML5技术资源分享 ES6编程风格","single_mode":true,"gallary_image_count":25,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521117792043794957/","source":"杭州千锋教育","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/61690001f09dd50fb25d","group_id":"6521117792043794957","is_related":true,"media_url":"/c/user/85614609846/"},{"comments_count":104,"media_avatar_url":"//p1.pstatp.com/large/2c6300190f11913b075c","is_feed_ad":false,"is_diversion_page":false,"title":"零基础如何开始学习 Python?看完这篇从小白变大牛!","single_mode":true,"gallary_image_count":6,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520490134318612996/","source":"中公优就业","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":19,"image_url":"//p9.pstatp.com/list/190x124/616400035269ff8b3f8e","group_id":"6520490134318612996","is_related":true,"media_url":"/c/user/64462810587/"},{"comments_count":4,"media_avatar_url":"//p1.pstatp.com/large/216d00213d5ba1354e79","is_feed_ad":false,"is_diversion_page":false,"title":"Docker命令速查表,收藏!","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521504418376974851/","source":"云智小号","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/616a00040d547b25ad82","group_id":"6521504418376974851","is_related":true,"media_url":"/c/user/60798381091/"},{"media_avatar_url":"//p1.pstatp.com/large/5682000261ba8679179c","is_feed_ad":false,"is_diversion_page":false,"title":"写了4年js,才总结出来的方法,帮助捋顺页面的逻辑关系","single_mode":false,"gallary_image_count":0,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520914932236550669/","source":"方帮信","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"comments_count":9,"group_id":"6520914932236550669","is_related":true,"media_url":"/c/user/78311944873/"},{"comments_count":3,"media_avatar_url":"//p5a.pstatp.com/large/59360004ec2da4f46ca0","is_feed_ad":false,"is_diversion_page":false,"title":"python 利用PDFMiner包操作PDF","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520369401739362824/","source":"python宠儿","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":1,"image_url":"//p3.pstatp.com/list/190x124/6165000091454c0d00f1","group_id":"6520369401739362824","is_related":true,"media_url":"/c/user/85632433002/"},{"comments_count":18,"media_avatar_url":"//p8.pstatp.com/large/1dcc000130588f471830","is_feed_ad":false,"is_diversion_page":false,"title":"华为云如何通过Kubernetes持续获得开源社区认可?","single_mode":true,"gallary_image_count":1,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521264799043551747/","source":"读家见解","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/616d000136ffe9009f65","group_id":"6521264799043551747","is_related":true,"media_url":"/c/user/59118623378/"},{"comments_count":246,"media_avatar_url":"//p3.pstatp.com/large/5b4a0004ceeb5fda37ad","is_feed_ad":false,"is_diversion_page":false,"title":"【敬业福】和【头条發卡】这样获得!没集齐的快快进来留言要卡!","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520363453486465540/","source":"百味说","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/61620002a797f691476b","group_id":"6520363453486465540","is_related":true,"media_url":"/c/user/1819391608/"},{"comments_count":11,"is_related":true,"is_feed_ad":false,"is_diversion_page":false,"title":"为什么现在大多数网站是html结尾,很少见以jsp结尾?","single_mode":true,"gallary_image_count":2,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520641560437063943/","source":"悟空问答","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p9.pstatp.com/list/190x124/5fed000466c57ba08a65","group_id":"6520641560437063943"},{"comments_count":3,"media_avatar_url":"//p3.pstatp.com/large/289d001afa9973514b92","is_feed_ad":false,"is_diversion_page":false,"title":"电脑常识U盘无法显示的解决办法","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6519325172929921543/","source":"科技前行","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/6159000079d9cc221f8a","group_id":"6519325172929921543","is_related":true,"media_url":"/c/user/62385073584/"},{"comments_count":67,"media_avatar_url":"//p3.pstatp.com/large/2c60001ab54a371cd1d4","is_feed_ad":false,"is_diversion_page":false,"title":"还在和我说SVN?不了吧,我们现在在用Git","single_mode":true,"gallary_image_count":3,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6518997162594927111/","source":"运维人生精选","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":14,"image_url":"//p1.pstatp.com/list/190x124/5e8b000277bd35b15ed0","group_id":"6518997162594927111","is_related":true,"media_url":"/c/user/5551364108/"},{"comments_count":8,"media_avatar_url":"//p3.pstatp.com/large/5b5c0000727f640c402c","is_feed_ad":false,"is_diversion_page":false,"title":"分享股票附图指标源码 逃顶 抄底提示 非常简单好懂","single_mode":true,"gallary_image_count":3,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6522563285793899015/","source":"爆笑街拍","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/616f000485cb69ee37b1","group_id":"6522563285793899015","is_related":true,"media_url":"/c/user/87993298432/"},{"comments_count":0,"media_avatar_url":"//p3.pstatp.com/large/615b0005f98c0cf95c85","is_feed_ad":false,"is_diversion_page":false,"title":"「有演示」再来一个简单清晰的Angular管理后台型模板项目","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520029978216628744/","source":"大漠穷秋真真儿的","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/5b5b0003240a8504971e","group_id":"6520029978216628744","is_related":true,"media_url":"/c/user/5723452117/"},{"comments_count":5,"media_avatar_url":"//p9.pstatp.com/large/4e73000078819aca1a3f","is_feed_ad":false,"is_diversion_page":false,"title":"井底之蛙:教你快速搭建Elasticsearch搜索集群,So Easy!","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521340756957856269/","source":"井底一只蛙","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/616c0001c227fef6efe4","group_id":"6521340756957856269","is_related":true,"media_url":"/c/user/81230464381/"},{"comments_count":33,"media_avatar_url":"//p6.pstatp.com/large/1bf3001b5d334828663d","is_feed_ad":false,"is_diversion_page":false,"title":"说快递员开后备箱偷窃的,黑科技请了解一下~","single_mode":true,"gallary_image_count":5,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521594668864504324/","source":"生活热议","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":71990,"image_url":"//p1.pstatp.com/list/190x124/616c000332d971ffe3f5","group_id":"6521594668864504324","is_related":true,"media_url":"/c/user/59109407331/"},{"comments_count":0,"media_avatar_url":"//p2.pstatp.com/large/5e790002d9c4cd2cbb72","is_feed_ad":false,"is_diversion_page":false,"title":"为什么大家总喜欢黑PHP?PHP到底做错了什么","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6520932110394458637/","source":"加班菌的日常","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p3.pstatp.com/list/190x124/616b000019b6f5fa3a9f","group_id":"6520932110394458637","is_related":true,"media_url":"/c/user/82746053034/"},{"comments_count":27,"media_avatar_url":"//p10.pstatp.com/large/46c400065347203f3ce3","is_feed_ad":false,"is_diversion_page":false,"title":"阿里巴巴规范之代码格式,就照这个写,指定没错","single_mode":true,"gallary_image_count":0,"middle_mode":true,"has_video":false,"video_duration_str":null,"source_url":"/group/6521203857580622350/","source":"Free码农","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":9,"image_url":"//p1.pstatp.com/list/190x124/616d0000a92ccd25e1d0","group_id":"6521203857580622350","is_related":true,"media_url":"/c/user/50429504684/"},{"comments_count":53,"media_avatar_url":"//p3.pstatp.com/large/1232000228220966c025","is_feed_ad":false,"is_diversion_page":false,"title":"漫画:你别做傻事啊!网上都是骗人的!","single_mode":true,"gallary_image_count":4,"middle_mode":false,"has_video":false,"video_duration_str":null,"source_url":"/group/6521680890379108867/","source":"酒妹漫画","more_mode":null,"article_genre":"article","has_gallery":false,"video_play_count":0,"image_url":"//p1.pstatp.com/list/190x124/5b4d0002615ff39c34f8","group_id":"6521680890379108867","is_related":true,"media_url":"/c/user/52513999763/"}] }, shareInfo: { shareUrl: https://m.toutiao.com/group/6522659487302550030/, abstract: 跨站脚本攻击概念:通常指黑客通过“HTML注入”篡改了网页,插入了恶意的脚本。从而在用户浏览网页时,实现控制用户浏览器行为的一种攻击方式。
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过
雷人
握手
鲜花
鸡蛋
收藏 分享 邀请
上一篇:ddos攻击成web网站最严重的安全问题之一,如何解决?下一篇:扫码付款隐患多!学会这两招,保护微信、支付宝里的钱包安全
发表评论

最新评论 查看全部评论(2)

相关分类

返回顶部