Before looks at the analyst to write an article, introduced that the cross station script the safe hidden danger, at that time only knew has like this
Question, also does not have the careful reading, at present this kind of question issued frequently in some security stand, occasionally just reads this kind of article
,
Hugs was knowing that always compares did not know the good idea, the translation reorganized, original text in occasionally main page collection table of contents, wrong
The place invites
Very much direction.
OK, go ............
What is the cross station script (CSS/XSS)?
We said that the cross station script is refers to long-distance WEB in page's html code inserts has the malicious goal data, the user thinks this
The page is may trust, but when the browser downloads this page, inserting script will be explained the execution,
Sometimes the cross station script is called " XSS ", this is because " CSS " is called generally the lamination cascading style sheet, this very easy confusing,
If
You listen to somebody to mention that CSS or the XSS security crack, usually refers to is the cross station script.
XSS and script injection difference?
After the original text the author is and his friend (b0iler) discussion, only then understood that any may realize the attack by no means using the script insertion
The crack is called XSS, but also has another forms of defensive action: “Script Injection”, their difference in the following two points:
1. (Script Injection) the script insertion attack the script preservation which will insert us, in is revised in long-distance WEB page, like
: sql injection, XPath injection.
2. the cross station script is temporary, after the execution, vanished
What type's script can insert the long-distance page?
Mainstream script including the following several kinds:
HTML
JavaScript (this article discussion)
VBScript
ActiveX
Flash
Is what reason causes a stand to have XSS the security crack?
When many cgi/php script execution, if it discovered when the customer submission the request page does not have or other type mistake,
The error message will be printed to a html document, and this wrong page transmission for visitor.
For example: 404 - yourfile.html Not Found!
We will not pay attention generally to such information, but the present must study the CSS crack's origin, we carefully will look.
Example: www.somesite.tld/cgi-bin/program.cgi?page=downloads.html
This URL direction's connection is effective, but if we replace following downloads.html brainrawt_owns_
me.html
, contains 404 - brainrawt_owns_me.html Not Found! The information page will feed back gives visitor's browsing
.
Considered how it does write about ours input in the html document?
OK, the present is we inspects XSS crack's time!
Attention: Below is an example merely, this page has the XSS crack, as soon as we may insert write the javascript code to the page
. Certainly the method are many
www.somesite.tld/cgi-bin/program.cgi?page= <script>alert ('XSS_Vuln_Testing')</sc
Other pages: : 1 * 2 * 3 * 4 * 5 * Next>>
|