Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
| Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
| modul:m183:learningunits:lu10:lu10a [2025/12/27 19:08] – [How Stored XSS Endangers Users] dgaravaldi | modul:m183:learningunits:lu10:lu10a [2025/12/27 21:02] (aktuell) – dgaravaldi | ||
|---|---|---|---|
| Zeile 6: | Zeile 6: | ||
| \\ | \\ | ||
| - | \\ | + | ==== Types of XSS Attacks ==== |
| - | ===== Types of XSS Attacks | + | |
| There are **two major types** of cross-site scripting attacks commonly discussed: | There are **two major types** of cross-site scripting attacks commonly discussed: | ||
| Zeile 14: | Zeile 13: | ||
| * **Reflected XSS (Non-Persistent)** – A malicious script is embedded in a URL or request, then reflected off the web server back to the user’s browser when the link is visited. | * **Reflected XSS (Non-Persistent)** – A malicious script is embedded in a URL or request, then reflected off the web server back to the user’s browser when the link is visited. | ||
| - | |||
| - | \\ | ||
| \\ | \\ | ||
| - | ===== What is Stored Cross-Site Scripting | + | ==== What is Stored Cross-Site Scripting ==== |
| To execute a **stored XSS attack**, the attacker must find a vulnerability in a web application where user input is stored without proper validation or escaping. A common example is when a comment field or form accepts HTML input and embeds it directly into pages viewed by other users. | To execute a **stored XSS attack**, the attacker must find a vulnerability in a web application where user input is stored without proper validation or escaping. A common example is when a comment field or form accepts HTML input and embeds it directly into pages viewed by other users. | ||
| - | |||
| - | {{stored_xss_example.png? | ||
| **Example**: | **Example**: | ||
| \\ | \\ | ||
| - | \\ | + | ==== Stored XSS Attack — Step by Step ==== |
| - | ===== Stored XSS Attack — Step by Step ===== | + | {{: |
| - | 1. The attacker discovers a page with an input field that allows HTML. | + | |
| - | 2. They insert malicious JavaScript code into that field. | + | - The attacker discovers a page with an input field that allows HTML. |
| - | 3. The application stores and later serves that code as part of normal content. | + | |
| - | 4. When other users visit the page, their browser executes the attack script. | + | |
| + | | ||
| \\ | \\ | ||
| - | \\ | + | ==== How Stored XSS Endangers Users ==== |
| - | ===== How Stored XSS Endangers Users ===== | + | |
| Stored XSS is especially dangerous because: | Stored XSS is especially dangerous because: | ||
| Zeile 43: | Zeile 38: | ||
| * Malicious payloads can embed external JavaScript that reports user data back to the attacker. | * Malicious payloads can embed external JavaScript that reports user data back to the attacker. | ||
| + | \\ | ||
| + | ==== Related Topics ==== | ||
| + | [1]: https:// | ||
| - | ===== Related Topics ===== | + | [2]: https:// |
| - | [1]: https:// | + | |
| - | [2]: https:// | + | |
| - | [3]: https:// | + | |