XSS

http://www.dotblogs.com.tw/tsxz2009/archive/2013/05/07/103080.aspx

比如有些网站后端没处理好,允许加script
象comment什么的,每次load这个comment,就可以embed一个script,然后获取用户的信息
XSS enables attackers to inject client-side script into Web pages viewed by other users.
The expression “cross-site scripting” originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (a reflected or non-persistent XSS vulnerability).

http://en.wikipedia.org/wiki/Cross-site_scripting

为什么叫cross site?

是因为那个script本来是不属于被攻击的那个site

prevention:

1) encode input, when needed to display, decode it

2) validate untrusted html input: sanitize the parameter

3) One example is the use of additional security controls when handling cookie-based user authentication. Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies.[24] To mitigate this particular threat (though not the XSS problem in general), many web applications tie session cookies to the IP address of the user who originally logged in, and only permit that IP to use that cookie.

4) disable scripts if the website does not have scripts

http://lifeiskuso.blogspot.com/2009/08/cross-site-scripting-xss.html

Cross-Site Scripting中文譯為「跨站腳本攻擊」,簡稱XSS。此乃是駭客利用網站上允許使用者輸入字元或字串的欄位插入HTML與Script語言,造成其 他正常使用者在觀看網頁的同時,瀏覽器會主動下載並執行部份惡意的程式碼,或被暗地裡導入到惡意的網站,而受到某種型態的影響。

http://www.baike.com/wiki/%E9%98%B2%E8%8C%83XSS%E8%B7%A8%E7%AB%99%E5%BC%8F%E8%84%9A%E6%9C%AC%E6%94%BB%E5%87%BB

Advertisements

2 thoughts on “XSS

  1. For those who want to crab in deeper water there
    is also good. The term portable GPS device encompasses a vast number of categories,
    functionalities, brands, and models. If you intend kayaking with your
    kids or pets, remember to opt for the tondom kayak with three
    sitting spaces. Example: Park rangers encourage boating, fishing, and kayaking.

  2. And you can find serviced apartments in London ranging from
    one-bedroom apartments to two bedroom apartments for a single
    person, a couple or for the whole family. However, these apartments can be
    rented for minimum 7 days. Are you thinking of buying property in London as a pied a terre or an investment property
    in London. You can cook for yourself in your serviced apartment and enjoy the food of your choice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s