跨站脚本攻击,附相关学习资源!手把手入门白帽子 (三)
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic4.zhimg.com/80/v2-01a5af1ea6515de926718c1dc9bb09af_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(<span style="color: black;">照片</span>源于网络,侵删)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PS:手把手入门白帽子系列,全学完<span style="color: black;">便是</span>一个合格的web安全工程师了!</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">什么是XSS?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关于XSS(跨站脚本攻击)详情,<span style="color: black;">能够</span>查看:<a style="color: black;">科普一种猥琐的黑客攻击方式,附攻防指南</a>。下面<span style="color: black;">咱们</span>简单介绍一下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">概念:指黑客<span style="color: black;">经过</span>“HTML注入”篡改网页,<span style="color: black;">插进</span>了恶意的脚本,从而在用户浏览网页时,实现<span style="color: black;">掌控</span>用户浏览器<span style="color: black;">行径</span>的一种攻击方式。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">害处</span>:盗取用户信息、篡改页面钓鱼、制造蠕虫等。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">XSS<span style="color: black;">归类</span>:存储型、反射型、DOM型等</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">反射型XSS</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">反射型XSS只是简单地把用户输入的数据“反射”给浏览器。<span style="color: black;">亦</span><span style="color: black;">便是</span>说,黑客<span style="color: black;">常常</span><span style="color: black;">必须</span>诱<span style="color: black;">运用</span>户“点击”一个恶意链接,<span style="color: black;">才可</span>攻击成功.</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">如下,<span style="color: black;">查找</span>name信息,正常用户请求:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic3.zhimg.com/80/v2-7ca935acdd9dc63bfd732459dc39ea0e_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>那name参数1修改成<script>alert("I am XSS")</script>,则<span style="color: black;">表示</span>结果:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic2.zhimg.com/80/v2-ac1ea0c8d91b353acd33686956dd90f1_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">存储型XSS</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">如下,正常留言<span style="color: black;">或</span>评论,<span style="color: black;">表示</span>如下:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic1.zhimg.com/80/v2-6e47deed6cb26e9fd7e7f3ffe0f21b88_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic4.zhimg.com/80/v2-6adbb1adcb1d3136a02dd89e563a77db_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>将message信息写成<script>alert(11)</script>,则<span style="color: black;">表示</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic3.zhimg.com/80/v2-d334a9fc86fad8e98af8dda7499e87ca_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DOM XSS</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">基于DOM型的XSS是不<span style="color: black;">必须</span>与服务器端交互的,它只发生在客户端处理数据<span style="color: black;">周期</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下面一段经典的DOM型XSS示例。</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic4.zhimg.com/80/v2-a755508a4dc77ad407440c55538191ef_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">以上</span>代码的意思是获取URL中content参数的值,并且输出,<span style="color: black;">倘若</span>输入</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;"><span style="color: black;">http://www.</span><span style="color: black;">xxx.com/dom.html?</span><span style="color: black;">content=</span></a><script>alert(/xss/)</script>,就会产生XSS漏洞。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">各样</span>类型原理分析</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic4.zhimg.com/80/v2-5861d6fb2f582766127aaa83e4ebe3cb_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下篇预告:CSRF攻击与防御</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">举荐</span>阅读</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">6个月当上web安全工程师 | 手把手入门白帽子(一)</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">黑客常说SQL注入是什么?手把手入门白帽子 (二)</a></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">SQL注入攻击方式及防御<span style="color: black;">办法</span>,手把手入门白帽子 (二)</a></p>
“沙发”(SF,第一个回帖的人) 哈哈、笑死我了、太搞笑了吧等。 期待与你深入交流,共探知识的无穷魅力。 感谢您的精彩评论,为我带来了新的思考角度。
页:
[1]