Wednesday, 20 June 2012

Cross Site Scripting – XSS – Tutorial

1. What is Cross Site Scripting?
Cross-site scripting (XSS or) is the most common web-level attacks. XSS is normally a page of the script, the client (the user's Internet browser) and server side trigger is embedded. XSS is a threat, and some Internet security client, HTML - and (as you do in VB script, ActiveX, HTML, or as a flash), the use of scripting languages ​​for the main culprits have been vulnerable. Client-side scripting XSS and web of malicious users to manipulate the structure. Each time the page is loaded, a page or an event, the management of a scenario can be installed to run it.
XSS is a simple example of a reference scenario for the trade to replace malicious user injects, and that redirects a user to a fake site, but the same da.aurkezteko, and control methods


A trick is to use a less dangerous topic, it's URL - encoded (or other encoding methods), it is clear, XSS, hex. Users know that, you know that the address is ignored, and encrypted and, therefore, the code will be dark on the third gallery, the damage appears to be deceived.
(2) Site owners are always safe, but so are hackers.
The technical details are complex, many cases, the critical XSS vulnerable web application may need to use. Many site owners use the XSS database at the end of the floor to steal sensitive information can not be distributed. An error is a normal web application, and the consequences of XSS against their customers, very serious, both in terms of implementation and effectiveness of business operations is displayed. Online business plan not only their customers, current and future loss of confidence because I really never able to destabilize their site to prove vulnerable to XSS. Ironically, stories, site owner, who boldly asserted that the XSS is not really a big risk to use a lot. This is often a challenge to hackers, led by the public will always be accepted by the owner of the web application, hearing the pain and itching.
(3) Echoes and XSS,
Different cases, which are analyzed in detail from the XSS program continues to change how the web technology firm that is not a place you can use. An extensive search of the largest corporate Web site XSS using a lot of stories, the deep wound, and in this case report, a kind of repetitive, always has the same effect as shown.
XSS exploit is used to obtain the following negative results:
* Identity theft
* Sensitive or restricted information
* Other ways to give free access to the content
* Members' web browsing habits agents
* Browser functionality to change the
* Personal or corporate public scandal
* Web application loss
* Denial of service attacks
Each owner has an integrity of the site that it is really not a healthy level, we agree vulnerable small or inconsequential to affect. Hacker credit card information and the participants, the opportunity for them to carry out the transactions by the disadvantages of high profile site. Redirects users to a malicious Web site that links to legal, but fair, look for the deposit of turn, they have all the details and send them directly to the hacker tricked. Click on this model, companies can not play as bad as a fracture in the database, but needs to turn web visitors or customers of insurance, business trust, responsibility and effort it takes to lose, can be affected.
(4) A practical example of XSS Acunetix test page.
The following example is not a hacking tutorial. This is very complex, especially for XSS is used for advanced users go. For example, to set off the call without the knowledge of the semicircle to try, you will find interesting, I'm sure.

1. Load the following link in your browser:


http://testasp.vulnweb.com/Search.asp
You will notice that the page is a simple page with an input field for running a search



2. Try to insert the following code into the search field, and notice how a login form will be displayed on the page:



Page through the XSS flaw, it is possible to create a convincing fake login form to collect user credentials. Second Step, as shown in the code "destination.asp" has a part that was mentioned. This is where the hacker will send users to a fake login form to report details of the decision must be taken and can be used maliciously.
A hacker can be injected into the browser address bar to go through this number as follows: ...

Code:
http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr%3EPlease+login+with+the+form+below+before+proceeding%3A%3C form+action%3D%22test.asp%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+ length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+length%3D20+name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput+type%3Dsubmit+value %3DLOGIN%3E%3C%2Fform%3E

Will create the results page, which shows how XSS can be used in different ways to get the same results. When a hacker makes a user login features, you can easily cause the browser to the search page, as before, and consumers have realized that he was duped. This example can be found in the use of all spam email we receive. It is very common to find my email and said that the number of auction sites on suspicion that an individual is using your account, maliciously, and then asks you to click the link to confirm your identity. This is the same, which leads unsuspecting users to a false version of the auction site, and records user logon attributes hackers.
3. Why wait to be hacked?


When new stories can be published in the latest hacks brands and large corporations in the observed sites owned business owned by a limited budget, as these sites have been hacked in the same way that it is not. This is clearly an issue of lack of security, how, but the lack of awareness among businesses of all sizes rely on directly. Statistics, safety inspection, 42% of web applications that require a clear test of all applications that are most repeated high-risk operation, XSS, vulnerable. Application of an expert hacker to use the weak to last more than efforts to raise awareness about how easy it is not likely. Common thinking that many still see a lot of money to lose at risk and the site owners rely on their customers and long lasting, "I get hacked, we'll see." To investigate this question with an interest in anything, even more than XSS security experts claim that the person who is truly respected and web applications can be used to achieve serious results will be comfortable in the state. However, further investigations will prove that the statistical figures and the statistics speak for themselves, which will continue growing at a rate of haze "experts" claim incredulous.










0 comments:

Post a Comment

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Lady Gaga, Salman Khan