http://jax-work-archive.blogspot.tw/2010/05/xss.html
上傳日期:2011年07月11日
The third episode in the OWASP Appsec Tutorial Series. This episode describes the #2 attack on the OWASP top 10 - Cross-Site Scripting (XSS). This episode illustrates three version of an XSS attack: high level, detailed with the script tag, and detailed with no script tag, and then recommends resources for further learning.
2010-05-16
三分鐘瞭解 XSS 攻擊原理
在看完酷壳寫的HTML 安全列表
突然很想寫一篇有關 XSS 的快速教學
讓更多人能瞭解何謂 XSS 安全漏洞
在瞭解 XSS 之前必須知道『網站登入(Session)』的原理
![[圖]](http://3.bp.blogspot.com/_b8lN_UbLoEc/S--PIB8h9TI/AAAAAAAAHas/NEpe9d_5AF0/s1600/session+%E4%BD%9C%E7%94%A8%E5%8E%9F%E7%90%86.png)
簡單的說當會員成功登入後 網站會給瀏覽器一個『令牌』
之後只要拿著這個『令牌』到網站上 就會被視為已經登入
再來下面是 XSS 最簡單的流程
![[圖]](http://1.bp.blogspot.com/_b8lN_UbLoEc/S--PIeHqfqI/AAAAAAAAHa0/PA0hPXc9XYE/s512/XSS+%E6%94%BB%E6%93%8A%E6%B5%81%E7%A8%8B.png)
簡單的說駭客透過 JavaScript 的程式碼將你的『令牌』偷走
透過這個『令牌』他也可以用你的身份順利登入網站
然後偷走你的相關資料(個人資料&交易資料)
然後再將這些資料賣給詐騙集團
上傳日期:2009年07月01日
Cross-site scripting ('XSS' or 'CSS') is an attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized user-provided data. For example, an attacker might place a hyperlink with an embedded malicious script into an online discussion forum. That purpose of the malicious script is to attack other forum users who happen to select the hyperlink. For example it could copy user cookies and then send those cookies to the attacker. The Script Injection video should be watched before this video for greater understanding.
![[圖]](http://cdn.arstechnica.net/wp-content/uploads/2013/01/reflected-xss.png)
![[圖]](http://www.chmag.in/system/files/aug2010/xss.png)
--
※ 作者: ott 時間: 2013-12-09 21:59:54
※ 編輯: ott 時間: 2013-12-09 22:11:20
※ 看板: ott 文章推薦值: 0 目前人氣: 0 累積人氣: 148
回列表(←)
分享