XSS cross-site scripting attack and Prevention

Source: Internet
Author: User

I. XSS Trojan attack simulation the following uses the dynamic network DVBBS Forum as an example to simulate detailed operations by attackers:
Step 1: Download the source code of the dynamic network DVBBS Forum from the Internet and configure it in IIS. Then open index. asp on the homepage of the Forum ",. Register a low-Permission user, enter a forum, click the "initiate vote" button on the page, and post a vote ,.



Step 2: Add a vote item on the "initiate a vote" page, and add the classic cross-site scripting attack code in the "Vote project" text box: <script> alert ('xsss ') </script> where the code is entered, it is a "voting item". In other places, attackers generally forge normal information ,.
Step 3: publish the voting post after the disguise is completed. In this case, the voting Post published by the attacker contains the XSS code. As long as the user accesses this post, it will launch XSS attacks. To test the effect, log out of the current user's logon and log in with the Administrator account to access this voting post ,. The standard XSS dialog box is displayed, indicating that the cross-site Attack Script constructed by the attacker is successful.

Ii. Procedure Analysis of XSS Elevation of Privilege attack instances
The specific operation steps for XSS Elevation of Privilege attacks are as follows: Step 1: Open the "index. asp" page on the IIS server to go to the "deep learning message board" system homepage ,. Click the "I want to leave a message" button at the top of the page to go to the "add a message" Page and enter content based on code analysis.

Step 2: Click the message button to submit the message content. When the Administrator logs on to the background again for management, select the "message board management" option in the left-side list. XSS can be directly triggered without clicking other content ,. Step 3: Select the "Website user management" option in the left-side Navigation Pane. In addition to the default administrator, a new Administrator named "duoduosixu" is added ,.




To prevent XSS attacks, take the following steps:
Step 1: Open IE and select Tools> Internet Options to bring up the Internet Options dialog box ,. Step 2: switch to the Security tab, select the Internet icon, and click the Custom Level button to bring up the Security Settings dialog box, customize the security level of the Internet ,. Step 3: Find the "script" area and set "activity script" to "disabled ".

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.