Hacking Book | Free Online Hacking Learning


xss learning notes

Posted by patinella at 2020-02-27
The main contents of this paper are as follows:
Three types of XSS principles
Three types of XSS experimental demonstration

Classification of XSS

Non persistent type

Non persistent XSS is also called reflective XSS. The specific principle is that when the user submits a piece of code, the server will immediately return the execution result of the page. When the attacker asks the attacker to submit a fake link with malicious code, the server will immediately process the malicious code and return the execution result. If the server does not filter the malicious code, the malicious code will be executed on the page, and the attack will succeed. For example, a general web page has a search box, right? If an attacker searches for a string with HTML tags, the search results will appear on the page in this form, or at least the page will contain the user's search string. If we submit a carefully constructed string and the server does not handle it, XSS vulnerability will occur Now.

Persistent type

Persistent XSS is also called storage XSS. We have seen forums, message boards and other places when browsing the web. They have a common feature that each user can submit their own text and can be seen by anyone else. Then, when an attacker submits a malicious script as content and the server does not filter it, the malicious script will persist on the page, so that every user visiting the page will execute the malicious code.

XSS based on DOM

This XSS attack is different from non persistent XSS. Non persistent XSS attacks by adding JS dynamic script on the link, while DOM based XSS adds a DOM element with parameters on the link, writes the script statement to be executed into the specific event of the DOM, and executes the script statement by triggering the event.

Experimental demonstration

The experimental environment is: Apache 2.4.4, PHP 5.4.16, MySQL 5.6.12, chrome 59, ie 11, win7

1. Non persistent XSS

First, we write a client client.html and server.php, as shown in the following figure:

Client code:

Client interface:

Server code:

Construction link:


The display results of simple non persistent XSS under ie11:

The display results of simple non persistent XSS in Chrome

We can see that our code 'alert (/ test /)' has been successfully executed under ie 11, but it is blocked by the browser under chrome and cannot be executed. However, we can also bypass the browser's own security protection through some string construction methods. We will explore these methods in the next article.

2. Persistent XSS

To demonstrate the persistent XSS, we first made a simple message board. The server does not code the submitted data, and the submitted data is directly stored in the database. The front end uses Ajax to read the data from the server. When we submit a

<script>alert(/test XSS/)</script>

This record will be displayed on the page. You can see from the figure below that our code has been executed successfully. This code will be executed automatically by every user who accesses this page in the future.

Persistent XSS Demo:

3. XSS based on DOM

So for convenience, I directly follow the client and server of non persistent XSS shown above, but the request link here becomes


As shown in the following figure: it can be executed normally on ie11:

In chrome, it is blocked by the browser:

If we want to hide it a little better, we can write a style = "height: 0; width: 0" in the picture, so that we can't even see the image.


After the above three experimental demonstrations, we can conclude that the concealment and effectiveness of three XSS attacks are: persistent XSS > DOM based XSS > non persistent XSS.

In addition, we also encounter the situation that XSS is intercepted by the browser in the experiment, and in the actual situation, the server will also do some coding processing for the data submitted by us, resulting in sometimes our XSS attack is not so effective. In the next article, we will make further research and Discussion on bypassing such security protection.