Home > Article > Operation and Maintenance > How to analyze reflected XSS
Reflected XSS means that the application obtains untrustworthy data through Web requests, without checking whether the data contains malicious code. It is delivered to Web users. Reflected XSS is generally constructed by attackers with URLs containing malicious code parameters. When the URL address is opened, the unique malicious code parameters are parsed and executed by HTML. It is characterized by non-persistence and requires the user to click on a link with specific parameters. can cause. The editor takes the JAVA language source code as an example to analyze CWE ID 80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
When a user accesses a URL request with XSS code, the server receives the data and processes it, then sends the data with XSS code to the browser, and the browser parses the data with XSS code Finally, an XSS vulnerability is created, which may lead to stealing the cookies of the target website and transferring them to the attacker's server, reading the user's undisclosed information, or performing click hijacking to implement phishing attacks. From January to November 2018, there were a total of 126 vulnerability information related to it in CVE. Some of the vulnerabilities are as follows:
Vulnerability Overview | |
---|---|
tianti is a free lightweight CMS system written in Java. It currently provides an overall solution from back-end management to front-end display. Among them, tianti 2.3 has a reflected XSS vulnerability in the user management module through the tianti-module-admin / user /list userName parameter. | |
Matera Banco 1.0.0 is vulnerable to multiple reflected XSS, as shown in /contingency/web/index.jsp (aka Home page) url parameters. | |
ZohoManageEngine Applications Manager provides solutions for monitoring and managing J2EE underlying structures and J2EE applications. A reflected cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 (Build13800) allows remote attackers to inject arbitrary web script or HTML via the 'method' parameter to GraphicalView.do. | |
LAMS is a new generation of JAVA-based learning software jointly developed by Macquarie University in Australia, LAMS International Co., Ltd. and LAMS Foundation. . Unauthenticated reflected cross-site scripting (XSS) exists in LAMS before 3.1, allowing remote attackers in forgetPasswordChange.jsp? Introducing arbitrary JavaScript via manipulation of unspecified GET parameters during key = password change. |
The above is the detailed content of How to analyze reflected XSS. For more information, please follow other related articles on the PHP Chinese website!