Original URL:https://www.owasp.org/index.php/XSS#Stored_and_Reflected_XSS_Attacks
Stored and Reflected XSS Attacks
XSS attacks can generally be categorized into two categories: stored and reflected. There is a third, much less well known type of XSS attack called DOM Based XSS that is discussed seperately here.
Stored XSS Attacks
Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.
Reflected XSS Attacks
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.
Other Types of XSS Vulnerabilities
In addition to Stored and Reflected XSS, another type of XSS, DOM Based XSS was identified by Amit Klein in 2005. OWASP recommends the XSS categorization as described in the OWASP Article: Types of Cross-Site Scripting, which covers all these XSS terms, organizing them into a matrix of Stored vs. Reflected XSS and Server vs. Client XSS, where DOM Based XSS is a subset of Client XSS.
XSS Attack Consequences
The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. Do not be fooled into thinking that a “read only” or “brochureware” site is not vulnerable to serious reflected XSS attacks. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirect the user to some other page or site, or modify presentation of content. An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company’s stock price or lessen consumer confidence. An XSS vulnerability on a pharmaceutical site could allow an attacker to modify dosage information resulting in an overdose. For more information on these types of attacks see Content_Spoofing.
How to Determine If You Are Vulnerable
XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.
# 存儲和反射XSS攻擊
XSS攻擊通常可以分爲兩類:存儲和反射。有約1/3 少爲人知的攻擊稱爲基於DOM的XSS.
1、存儲型 XSS攻擊
是指那些 被注入的腳本將會永久存儲在目標服務器上 。如:在 數據庫/消息論壇/訪問者日誌/註釋字段中 等等。
受害者從服務器請求一些存儲的信息時, 會從服務器中取回一些惡意腳本。。存儲型XSS有時也被稱爲持續型
或 I型XSS。
2、反射型 XSS攻擊
反射攻擊是指那些 被注入的腳本是從Web服務器上反映出來的攻擊。如錯誤消息、搜索結果或任何其他響應,
響應中包括 一些或全部的輸入 被當作請求的一部分發送給服務器。
反射攻擊一般通過其他路徑發送給受害者,如在電子郵件中或其他的Web網站。當用戶被誘騙點擊惡意鏈接,
提交一個特製表單,甚至只是瀏覽該惡意網站,此時,被注入的惡意代碼被傳輸到到這個易受攻擊的網站,
反映到了 被攻擊的用戶的瀏覽器。瀏覽器執行代碼,就好像它來自一個“可信”服務器。
反射型XSS有時也被稱爲非持續性或II型XSS。
3、其他類型的XSS漏洞
除了存儲和反射型XSS,另一種類型的XSS漏洞,基於DOM的XSS是2005由 AMIT Klein定義。 OWASP
recommends the XSS categorization as described in the OWASP Article: Types of Cross-Site Scripting, which covers all these XSS terms, organizing them into a matrix of Stored vs. Reflected XSS and Server vs. Client XSS, where DOM Based XSS is a subset of Client
XSS.(是客戶端XSS的一個子集。)
XSS攻擊的後果:
被XSS攻擊的後果和嚴重性總是相同的,無論它是存儲XSS 還是反射型XSS(抑或是基於DOM的XSS)。
不同的只是這些“定時炸彈”到達服務器的方式。不要愚蠢地認爲“只讀”或“brochureware”網站是不容易出現
嚴重的反射型XSS攻擊的。XSS會給終端用戶帶來多種嚴重問題,最嚴重的XSS攻擊涉及用戶的會話(session)和
cookie的瀉露,允許 hacker劫持用戶會話(session)和接管帳戶。其他破壞性的攻擊包括披露最終用戶文件,
安裝木馬程序,重定向用戶到其他一些網頁或網站,或修改文稿的內容。
有的XSS漏洞讓 hacker 能夠修改新聞/新聞項目 從而可以影響一個公司的股票價格/動搖消費者的信心。
例如:一個藥品網站的XSS漏洞可使 hacker 修改劑量信息從而導致服藥過量。
如何判斷你是否存在XSS漏洞?
XSS漏洞很難從Web應用程序中識別和刪除。發現缺陷的最好方法是 在從一個HTTP請求的輸入可能使其進入HTML
輸出所有地方 執行的代碼審計 和搜索安全審查(search for all places where input from an HTTP request could
possibly make its way into the HTML output.)
值得注意的是,一些不同的HTML標籤經常可以用來發送惡意的JavaScript代碼。
Nessus, Nikto,和其他一些可用的工具,可以幫助掃描這些網站的漏洞,但這只是撓撓癢癢。
如果一個網站的一部分被證實是脆弱的,那麼也就同時有很高的可能性在這裏還有更多的其他安全問題。
——————————————————————————————————SoDaoo 轉載註明出處。