Safety testing (xss \ csrf attack)

Others 2019-06-17 02:08:44 views: null

The web security xss attacks

xss attack stands Cross-Site Scripting (XSS) attack, an injection attacks. The basic approach is to inject malicious code into the target site. Because the browser to open the target site when the script does not know what is malicious, so the browser will execute malicious script indiscriminately, leading to user information and sensitive information is stolen and leaks. (Mainly get cookie information)

xss is generally divided into two types, persistent and non-persistent xss xss

Persistent xss kept in the database

Non-persistent xss not saved in the database

The csrf web security attacks

srf attack stands for Cross-Site Request Forgery attack, in short, is to use the current user's login state impersonate the user to do something for the victims of bad things.

Suppose Alice wants to turn 100 dollars bob through ban.com website, of course, bank.com there is a security breach, csrf can not prevent attacks. Maria, an attacker would like Alice through some illegal means to make transfers to her, here are some of her practice:

  1. Construction of a link or script attack
  2. Alice lured by the social networking site to click on a link or execute a script forgery

A simple example

If the application is bank.com bank transfer, as shown by adding GET parameter passing mode

GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1

So Maria decided that now? Alice become a victim, she began to forge url, let Alice 10000 dollars from an account transfer to your account. She achieved this by replacing the parameters linked fashion.

http://bank.com/transfer.do?acct=MARIA&amount=100000

Now on to induce the victim to click on the above link or execution time, and in general there are a few ways

  • Automatically send spam that contains html content
  • Construct a malicious page while browsing on banking sites frequently visited Alice placed malicious script or link

For example, disguised as a common link, to encourage victims to click

<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">看我的照片!</a>

Or construct a 0x0 size image

<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="0" height="0" border="0">

The picture on the top emial, followed by Alice receives email, the link will automatically be accessed.

If you just logged bank.com Alice click on the link above or open the email, then the above request will get bank.com login state, which occurred in the transfer behavior.

Click the picture will not be captured login state, constructed 0000 picture picture size is not set, open the Web site that is likely to get; now need to obtain a password transfer

Guess you like

Origin www.cnblogs.com/xiongww/p/11037276.html
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com