Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )
The rest of the Dragon Boat Festival, this time, listen to good public accounts are slightly more similar to the letter, ah, reason: interference thinking ......
I continued my style, my own private account public is "lazy thinking", but did not send the contents of a long, long time, really to deal with a "lazy" word. And in the public account (Site Security Center) made sure of the contents of this security will be located at the site.
Some time ago have been writing tool party, big data hacker-related science text, began to change something tastes good today, take a look at some of the front-end attack in the "horror" of the attack.
Said today that only senior Fishing
If people know that deep phishing attacks, it is estimated after talks fish discoloration, this science I do not too much text, simply say this in front of the public is almost a blank attack, so read Benpian text, many people will continue to get Joseph: "anyway, I will not be caught" in-depth explanation I usually put on some internal safety training, and if there is time to plan out an entire paper out, must be very exciting.
Think about it, in the social network in (weibo can be considered, with social attributes are considered), we have a lot of stylistic elements specific to this social network is not used to, such as a pretty login page, set the page, change the password page, pop-up layer, chat box, a message interface, and so on, see every day, every day, to become accustomed to this style, a style similar to the one day appear new features (such as prompts "abnormal password, Change password" pop-up layer), also do not doubt, I thought it was new friendly features ......
It is for these JavaScript can be forged ah, but also super YD fake, how much the amount of code do not, why? Thanks to the great front-end engineers, they encapsulate many super convenient interface :)
As long as a XSS (cross-site scripting attack), you can introduce arbitrary JavaScript code, ghosts in general, looks really forged a fake interface, caught the critical data you want, the purpose is achieved. In fact, the real high-level attack, if can not catch no fish, more interactive and more attacks on the complexity of a piece of JavaScript may be able to get the data as clear text passwords, and other private information through a number of Hacking techniques, as long as a trick.
In the social network, the user experience is good as the first element, for an attacker, the attacker will also pay attention to the user experience is good, even if there is no XSS, attacks can be done, think about how to camouflage interface? Just use XSS attacks more authentic (I often say that the original ecological attack).
In addition to the original ecology of native UI can be used, as well as related JS library interface, such as for a small joke weibo.com, we can use Chrome for your own micro-blog, and then press f12 to open the "Developer Tools" in the Console , copy the following code, Enter to execute:
STK.core.io.ajax({method:'POST',url:'/aj/message/add',args:{text:document.cookie.substr(0,300),screen_name:'%E4%BD%99%E5%BC%A6'}})
So clean code, if the attacker used up the more convenient: D
Fishing nothing more than deception, the use of social networks in advanced phishing attacks XSS be really hard to detect such attacks I have long suggested that I feel has been increasingly popular, which is why this year has often been mentioned "hackers art," Well, hackers in order to survive, began more wretched, and came into contact with art, the purpose of art is a visual deception.
Finally: a little more alert, less a leak ......