Original URL:https://www.owasp.org/index.php/XSS#Stored_and_Reflected_XSS_Attacks
Stored and Reflected XSS Attacks
XSS attacks can generally be categorized into two categories: stored and reflected. There is a third, much less well known type of XSS attack called DOM Based XSS that is discussed seperately here.
Stored XSS Attacks
Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.
Reflected XSS Attacks
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.
Other Types of XSS Vulnerabilities
In addition to Stored and Reflected XSS, another type of XSS, DOM Based XSS was identified by Amit Klein in 2005. OWASP recommends the XSS categorization as described in the OWASP Article: Types of Cross-Site Scripting, which covers all these XSS terms, organizing them into a matrix of Stored vs. Reflected XSS and Server vs. Client XSS, where DOM Based XSS is a subset of Client XSS.
XSS Attack Consequences
The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. Do not be fooled into thinking that a “read only” or “brochureware” site is not vulnerable to serious reflected XSS attacks. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirect the user to some other page or site, or modify presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose. For more information on these types of attacks see Content_Spoofing.
How to Determine If You Are Vulnerable
XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.
# 存储和反射XSS攻击
XSS攻击通常可以分为两类:存储和反射。有约1/3 少为人知的攻击称为基于DOM的XSS.
1、存储型 XSS攻击
是指那些 被注入的脚本将会永久存储在目标服务器上 。如:在 数据库/消息论坛/访问者日志/注释字段中 等等。
受害者从服务器请求一些存储的信息时, 会从服务器中取回一些恶意脚本。。存储型XSS有时也被称为持续型
或 I型XSS。
2、反射型 XSS攻击
反射攻击是指那些 被注入的脚本是从Web服务器上反映出来的攻击。如错误消息、搜索结果或任何其他响应,
响应中包括 一些或全部的输入 被当作请求的一部分发送给服务器。
反射攻击一般通过其他路径发送给受害者,如在电子邮件中或其他的Web网站。当用户被诱骗点击恶意链接,
提交一个特制表单,甚至只是浏览该恶意网站,此时,被注入的恶意代码被传输到到这个易受攻击的网站,
反映到了 被攻击的用户的浏览器。浏览器执行代码,就好像它来自一个“可信”服务器。
反射型XSS有时也被称为非持续性或II型XSS。
3、其他类型的XSS漏洞
除了存储和反射型XSS,另一种类型的XSS漏洞,基于DOM的XSS是2005由 AMIT Klein定义。 OWASP
recommends the XSS categorization as described in the OWASP Article: Types of Cross-Site Scripting, which covers all these XSS terms, organizing them into a matrix of Stored vs. Reflected XSS and Server vs. Client XSS, where DOM Based XSS is a subset of Client
XSS.(是客户端XSS的一个子集。)
XSS攻击的后果:
被XSS攻击的后果和严重性总是相同的,无论它是存储XSS 还是反射型XSS(抑或是基于DOM的XSS)。
不同的只是这些“定时炸弹”到达服务器的方式。不要愚蠢地认为“只读”或“brochureware”网站是不容易出现
严重的反射型XSS攻击的。XSS会给终端用户带来多种严重问题,最严重的XSS攻击涉及用户的会话(session)和
cookie的泻露,允许 hacker劫持用户会话(session)和接管帐户。其他破坏性的攻击包括披露最终用户文件,
安装木马程序,重定向用户到其他一些网页或网站,或修改文稿的内容。
有的XSS漏洞让 hacker 能够修改新闻/新闻项目 从而可以影响一个公司的股票价格/动摇消费者的信心。
例如:一个药品网站的XSS漏洞可使 hacker 修改剂量信息从而导致服药过量。
如何判断你是否存在XSS漏洞?
XSS漏洞很难从Web应用程序中识别和删除。发现缺陷的最好方法是 在从一个HTTP请求的输入可能使其进入HTML
输出所有地方 执行的代码审计 和搜索安全审查(search for all places where input from an HTTP request could
possibly make its way into the HTML output.)
值得注意的是,一些不同的HTML标签经常可以用来发送恶意的JavaScript代码。
Nessus, Nikto,和其他一些可用的工具,可以帮助扫描这些网站的漏洞,但这只是挠挠痒痒。
如果一个网站的一部分被证实是脆弱的,那么也就同时有很高的可能性在这里还有更多的其他安全问题。
——————————————————————————————————SoDaoo 转载注明出处。