Rooling bils, I can hack clients!
-Know your enemy
All content in this blog has not been passed throughSeoOptimized,For self-entertainment only,Traffic is not considered,Therefore, this blog post uses an obscure English name.
The English question in this article is changed from Aditya K Sood In Xcon2008 Speech topic : Change , Client attacks . Subtitle from famous Information Security Organization The Honeynet Project A series White Papers .
Aditya K SoodI hate being an information security researcher.,The reason is as follows:
Aditya K Sood Comrade John is a Thu from India. , Over thirty years old , To promote your company's products , Far away , Coming to China. An aosan , Under the guise of technical exchanges , Motivation for product promotion , Seriously affected the attendee's meal time , Promote sales as your own business , What is the spirit of this? This is an extremely bullshit spirit. ...
Annoying , But I have to admit that , Web2.0 The arrival of the Times , Web Security also gradually changes from server security to client attacks , I have been engaged in system security and anti-virus-related learning and research, even during my internship. , However Web Security-client attacks , So here I feel it ..
back from Beijing , idle hours , we are all conducting security checks and audits on some internal websites of the school. , found many security defects , we cannot publish it here.
Based on the vulnerabilities we have known and other related predictions,We can draw a conclusion based on all the security questions.,You only need to know the name of any student at the school.,We can obtain all kinds of privacy information.,Basically, as long as you can think,We can all.
In general , Most security defects are client security issues , As a result, users' privacy is compromised. , Client attacks do not cause any harm to the server. , It brings indirect benefits to website owners. , Therefore, these vulnerabilities are not affected.ProgramDeveloper's note , The final result is that the personal privacy of the service application, that is, the client user, is not guaranteed. , The privacy of the service provider's user is ignored.
The specific vulnerability types can be announced. , Almost all websites exist XSS Vulnerabilities , Integration Cookies The dangers of spoofing can be achieved by stealing identities, phishing, and Trojans. Permission authentication errors exist for most websites , Alternatively, you can bypass its permission authentication. , As a result, the user's privacy can be stolen without knowing the account and password. Some websites exist Cookies Define Defects , Can be forged directly Cookie . More seriously , Most of the above vulnerabilities can be exploited comprehensively.
During the summer vacation, I discussed privacy collection and theft with an industry security researcher. , Our conclusion is that the social engineering society is more widely used in the future information security confrontation. , Security has evolved from technical protection to awareness protection. Coincidentally 09 Year 12 Month Trend Micro Published an article about 2010 Annual Security Threats and predictions Paper, One sentence is: Social engineering will become increasingly prevalent and clever . Oh, we are suspected of plagiarizing ourselves with conversations. .. .
Days , Still not valid ; Self-defeating , Inactive. There are so many vulnerabilities for so many websites , Apparently, we discard the privacy of our users. . Result in a security check, I found a vulnerability that could cause server attacks. , Expected availability , Serious hazards , It is estimated that further penetration will be carried out after returning to the center.
-EOF-