{"id":7635,"date":"2017-10-17T15:39:58","date_gmt":"2017-10-17T15:39:58","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=887"},"modified":"2025-07-09T07:15:58","modified_gmt":"2025-07-09T07:15:58","slug":"a-step-further-demystifying-xss","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/a-step-further-demystifying-xss\/","title":{"rendered":"A Step Further \u2014 Demystifying XSS"},"content":{"rendered":"

<\/h1>\n

\"\"<\/a><\/p>\n

Here is a comprehensive tutorial on cross-site scripting (XSS) attacks, ranging from entry to practice.<\/p>\n

Overview<\/strong><\/h2>\n

\"\"<\/a><\/p>\n

Note that XSS attacks are classified according to different angles in the preceding figure, but not simply classified into reflective XSS, stored XSS, and DOM-based XSS.<\/p>\n

In essence, XSS is injection of HTML code and JavaScript code. This kind of attacks is often not taken seriously by developers as it targets the browser side which is equivalent to the client side.<\/p>\n

Regular XSS attacks can be detected with a simple method: If a complete parameter or part of a parameter typed by a user is included in the source code, an XSS vulnerability is deemed to exist.<\/p>\n

\"\"<\/a><\/p>\n

We can use a scanner to get rid of most regular XSS attacks as the scanner is good at\u00a0pattern recognition and can easily find the characters that we just typed in HTML code.<\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

Until one day, a type of XSS attacks without any trace in source code emerged. It turns out that XSS attacks may not be as simple as we thought.<\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

About Document Object Model<\/h2>\n

Document Object Model<\/h3>\n

Document Object Model (DOM) is a well-known programing API.<\/p>\n

DOM is a method that presents page elements in the form of objects in a tree-like hierarchy to facilitate the handling by JavaScript.<\/p>\n

\"\"<\/a><\/p>\n

Common DOM Method<\/h3>\n

Users can access HTML DOM through JavaScript (and other programming languages). All HTML elements are defined as objects for which the HTML DOM API defines methods and attributes.<\/p>\n

\"\"<\/a><\/p>\n

Four Important DOM Properties<\/h3>\n

nodeName<\/strong>: specifies the name of a node.<\/p>\n