1.存储型xss(恶意脚本被永久存储在目标服务器上,当其他用户访问包含该脚本的页面时触发)
test.html:
<!DOCTYPE html>
<html>
<head>
<title>xss1</title>
</head>
<body>
<form action = 'comments.php' method='POST'>
<textarea name='comment'></textarea>
<button type='submit'>submit</button>
</form>
</body>
</html>comments.php:
php+HTML
<?php
$comments=getCommentFromDB();
foreach($comments as $comment){
echo '<div>'.$comment.'</div>';//未转义直接输出
}
?>攻击载荷:<script>alert(0)</script>
2.反射型xss(恶意脚本作为请求的一部分发送到服务器,服务器立即响应返回并执行
test.html:
<!DOCTYPE html>
<html>
<head>
<title>xss1</title>
</head>
<body>
<form action = 'comment.php' method='POST'>
<textarea name='comment'></textarea>
<button type='submit'>submit</button>
</form>
</body>
</html>comment.php:
php+HTML
<?php
$comment=$_POST['comment'];
echo '<div>'.$comment.'</div>';//未转义直接输出
?>攻击载荷:<script>alert(0)</script>
3.dom型xss(漏洞完全在客户端发生,恶意脚本通过修改dom树来执行
test.html:
<!DOCTYPE html>
<html>
<head>
<title>xss2 dom</title>
<body>
<input type="text" id ="input">
<button onclick="display()">display</button>
<div id="output"></div>
<script>
function display(){
const userInput = document.getElementById('input').value;
document.getElementById('output').innerHTML=userInput;//直接使用innerHTML插入数据
}
</script>
</body>
</head>
</html>攻击载荷:<img src=x οnerrοr=alert(0)>
原文地址:xss漏洞学习笔记