Attack Cross-station script attack and guard against
the first part: cross-station script attack
whenever we think of hackers, hackers tend to be such a portrait: a lone person, sneaking into someone else's server, destroying or stealing other people's secret information. Maybe he'll change our homepage, and most of them will steal
.
take the customer's credit card number and password. In addition, hackers will attack customers who visit our site. At the same time, our server has become his accomplice. Microsoft called the attack a "Cross-site script" attack. And this attack is mostly
The
number occurs when the Web site is dynamically generated, but the goal of the hacker is not your site, but the customer browsing the site.
Cross-station script attack description
in a magazine called <<advisory ca--2000-02>>, cert warns that if the server does not validate customer input, hackers will enter malicious HTML code when the HTML code is lost
is used in the script program, they can use it for destruction, such as inserting some disgusting pictures or sounds, but also can interfere with the customer to browse the Web page correctly.
We know that some friends have been induced to some suspicious free sites, they get only 10 to 20 small windows, these windows are often accompanied by Java or JavaScript generated by the invalid button, which is called
is a mouse trap. Closing these windows is futile whenever we close a window and there will be 10 more windows popping up. This often happens when the administrator is not there. Mouse event is a hacker using the cross-station script method
A typical example of attacking customers.
malicious tags and script are not simple pranks, they can even steal information and smash systems. A smart or even smart hacker can use script to interfere with or change the input of server data. Using
The script code can also attack the client system and let your hard drive burn. And you know, when you use the server, the hacker's script is also running in the safe place of your server! If the customer
your suit
are very trusting, and they will also trust malicious script code. Even this code comes from a hacker's server in the form of 〈script〉 or 〈object〉.
even using a firewall (SSL) does not prevent Cross-site script attacks. That's because if the device that generates the malicious script code uses SSL, the SSL on our server cannot identify the code. We
is this the customer once so trusted site to hand over to hackers? And the existence of this kind of destruction, will let your website reputation is damaged.
One, cross-site script attack Example:
according to Cert's data, dynamic input has roughly these forms: URL parameters, table elements, cookise, and data requests. Let us analyze this, this is only two pages of the site, the site name is:
mynicesite.com. The first page uses a table or cookie to obtain the user name:
<%@ language=vbscript%>
<% If request.cookies ("UserName") <> "" Then
Dim Strredirecturl
Strredirecturl = "Page2." Asp?username= "
Strredirecturl = Strredirecturl & Response.Cookies ("UserName")
Response.Redirect (Strredirecturl)
Else%>
<HTML>
<HEAD>
<title>mynicesite.com Home page</title>
when you are typing text, everything is normal. If you enter the SCRIPT code: <script>alert (' Hello. '; </script>,javascript warning labels will bounce out:
The warning tag will also appear on your next visit, because the script code has been left in the cookie after the first visit. This is a simple example of a cross station attack.
If you think this is a special case, you might as well go to another place on the internet and try it out for yourself. I have tested some of the big government websites, educational websites and commercial websites, and they do have some
appeared above the situation, I even found that I often use the credit card of the site can not do any filtering, think really terrible.
Two, use e-mail for Cross station script attack
Cross-site script attacks are particularly easy to use on list servers, Usenet servers and mail servers. The following is an example of the Mynicesite.com Web site. Because you often visit this website, its content also
really let you love not fondle admiringly, so unknowingly you will change the browser to always trust this dynamic site content settings.
mynicesite.com Web sites always earn revenue by selling email addresses that subscribe to their email messages, which is a really bad idea. So I bought one of its email addresses. And a lot of emails to you
.
。 In the letter I told you to visit this website as soon as possible and to check the latest information on your account usage. I have also made a link in this letter in order to make it convenient for you. I licked the
in the username parameter in the link URL.
script code. Some customers have unwittingly clicked on this link, which means that I was on my case (pictured), and I benefited from it:
It works like this, and when you click on the link, the script code in the link will guide your browser to download my JavaScript program and execute it. My script checks that you're using IE bangs
.
After the
, you start downloading the Acticex control ParticularlyNasty.dll. Because you've previously thought the content of this site is always safe, so that my script code and active controls can be
on your machine.
was free to run.
Three, ActiveX attack description
when discussing ActiveX, neither Cert nor Microsoft mentioned the dangers posed by the Cross-site script approach. The security issues in the << Security FAQ >> are described in more detail by the consortium. Java Applet
control of the system is strictly limited. When Sun developed it, it stipulated that only those operations that did not pose a threat to the security of the system were allowed to run.
on the other hand, ActiveX operations on the system are not strictly restricted. If one is downloaded, you can do what they want to do like an executable program installed. For this feature, IE browser also made some restrictions
, such as for insecure sites, will not allow you to download or warn you of the default settings. Companies that are developing based on ActiveX, such as VeriSign, are using ActiveX control
The
pieces are numbered. When you download the control, IE will warn you and show you how trustworthy it is. The user decides whether to trust the control. As a result, the security of the system increases.
However, for those users who have little experience, they often unconsciously modify the original settings so that they are downloaded without any hint. In addition, for a novice, even
, when prompted, will also silently download controls that are not marked. In our example, because of your trust in the site, you have changed your browser's settings so that the ActiveX control does not go through any
as shown in the case of downloading and unknowingly starting to run on your machine.
Four, 16-encoded ActiveX Script attack
It is very difficult for
to distinguish between the label of bad intentions and the script. The script can also hide itself in the form of 16. Let's take a look at the following e-mail example, okay? It is in the form of 16
was sent out:
This is almost a complete message containing a 16-in-forged URL parameter: sender=mynicesite.com. When the user clicks on the link, the user's browser will start the first example of the process and
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.