Injection is to trick the server side to execute code by appending code fragment to the input. If server side use the input to form the final call to the system, the code fragment is executed. SQL injection add additional SQL code fragment. Command injection happens when the system call uses the input. Remote code execution uses similar principle to exploit web server handling of input.
Cross site scripting attack (XSS) on the other hands is to inject code to client side (web browser). Web browser dutifully execute all javascript code received. Stored XSS exploit web pages that embed data stored in database. Attacker send data contain <script> code segment to the server. When user retrieve these data (e.g. chat group), the data will be placed inline in the final web page and the code would be executed by the web browser.
Reflected XSS uses the HTTP request to insert code into the return web page. Some site may include part of the URL in the web page. To mitigate, server must sanitize the URL before embed it into the web page to return. DOM based XSS exploit the URI fragment. URI fragment is the part of the URL after '#' character. URI fragment instruct the web browser to automatically scroll to the frame that matches the fragment label. URI fragment is not saved with the URL in bookmark. URI segment is not sent to the server and so server side cannot sanitize the URL effectively.
No comments:
Post a Comment