1. M?c ��ch c?a t?n c�ng XSS
Ph? thu?c v�o m?c ��ch c?a hacker, nh?ng �o?n Javascript ��?c ch�n v�o �? l?y nh?ng th�ng tin nh�:
Cookie: hacker c� th? l?y ��?c cookie c?a ng�?i d�ng v� d�ng nh?ng th�ng tin trong cookie �? gi? m?o phi�n truy c?p ho?c l?y nh?ng th�ng tin nh?y c?m kh�c ��?c l�u trong cookie.
Keylogging: hacker c� th? ghi l?i nh?ng thao t�c g? ph�m c?a ng�?i d�ng b?ng c�ch s? d?ng s? ki?n addEventListener trong Javascript v� g?i t?t c? nh?ng thao t�c g? ph�m �� v? cho h?n �? th?c hi?n nh?ng m?c ��ch nh� ��nh c?p c�c th�ng tin nh?y c?m, l?y m?t kh?u truy c?p website ho?c m? s? th? t�n d?ng...
Phishing: hacker c� th? thay �?i giao di?n c?a website b?ng c�ch thay �?i c?u tr�c HTML trong trang web �? ��nh l?a ng�?i d�ng. Hacker c� th? t?o ra nh?ng form ��ng nh?p gi? nh?m l?a ng�?i d�ng ��ng nh?p v�o �? ��nh c?p m?t kh?u.
2. C�c d?ng t?n c�ng XSS
Tr�?c ��y, XSS ch? ��?c chia th�nh 2 d?ng g?m Persistent v� Non-Persistent. V�o n�m 2005, ng�?i ta �? th�m v�o m?t d?ng t?n c�ng XSS kh�c, �� l� DOM-based XSS. V? v?y XSS c� th? ��?c chia th�nh 3 d?ng sau ��y:
Persistent XSS (hay c?n g?i l� Stored XSS)2.1. Persistent XSS (Stored XSS)
Non-Persistent XSS (hay c?n g?i l� Reflected XSS)
DOM-based XSS
Stored XSS l� d?ng t?n c�ng m� hacker ch�n tr?c ti?p c�c m? �?c v�o c� s? d? li?u c?a website. D?ng t?n c�ng n�y x?y ra khi c�c d? li?u ��?c g?i l�n server kh�ng ��?c ki?m tra k? l�?ng m� l�u tr?c ti?p v�o c� s? d? li?u. Khi ng�?i d�ng truy c?p v�o trang web n�y th? nh?ng �o?n script �?c h?i s? ��?c th?c thi chung v?i qu� tr?nh load trang web.
D?ng t?n c�ng b?ng Stored XSS ��?c m� t? nh� sau
Nh� h?nh tr�n, ta c� th? th?y ��?c qu� tr?nh t?n c�ng nh� sau
- Tr�?c ti�n, hacker s? khai th�c l?i Stored XSS tr�n website b?ng c�ch t?m nh?ng form (khung ��ng k?, khung comment, khung li�n h? ...) kh�ng ��?c ki?m tra k? d? li?u �?u v�o v� ti?n h�nh ch�n c�c �o?n m? �?c v�o c� s? d? li?u.
- Sau �� khi ng�?i d�ng truy c?p v�o trang web c� ch?a d? li?u li�n quan �?n c� s? d? li?u n�y th? ngay l?p t?c, c�c �o?n script �?c h?i s? ��?c ch?y chung v?i trang web.
- Khi c�c �o?n script ��?c th?c thi, tu? v�o m?c ��ch c?a hacker, c�c �o?n script s? g?i v? cho hacker nh?ng th�ng th�ng tin nh� cookie, session token .... �?n ��y, coi nh� qu� tr?nh t?n c�ng c?a hacker �? th�nh c�ng.
2.2. Non-Persistent XSS (Reflected XSS)
Reflected XSS l� d?ng t?n c�ng th�?ng g?p nh?t trong c�c lo?i h?nh XSS. V?i Reflected XSS, hacker kh�ng g?i d? li?u �?c h?i l�n server n?n nh�n, m� g?i tr?c ti?p link c� ch?a m? �?c cho ng�?i d�ng, khi ng�?i d�ng click v�o link n�y th? trang web s? ��?c load chung v?i c�c �o?n script �?c h?i. Reflected XSS th�?ng d�ng �? �n c?p cookie, chi?m session,... c?a n?n nh�n ho�c c�i keylogger, trojan ... v�o m�y t�nh n?n nh�n.
D?ng t?n c�ng b?ng Reflected XSS ��?c m� t? nh� sau
M� h?nh m� t? d?ng t?n c�ng Reflected XSS
Nh� h?nh tr�n, ta c� th? th?y ��?c qu� tr?nh t?n c�ng nh� sau
- Tr�?c ti�n, hacker s? g?i cho n?n nh�n m?t ��?ng link c� ch?a m? �?c h?i �i k�m, v� d?
http://victim.com/index.php?id=<script>alert(document.cookie)</script>nh�ng ��?ng link tr�n s? d? khi?n n?n nh�n ch� ? v� s? nghi ng?, n�n khi g?i ��?ng link tr�n cho n?n nh�n, hacker c� th? s? m? ho� n� th�nh nh?ng k? t? l? kh� �?c, v� d?
http%3A%2F%2Fvictim.com%2Findex.php%3Fid%3D%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Enh� v?y, n?n nh�n s? kh�ng nghi ng? ��?ng link l?, v� click v�o link
- Khi n?n nh�n click v�o ��?ng link ��?c hacker g?i, tr?nh duy?t s? load trang web v� th?c thi c�c �o?n script k�m theo, sau �� g?i v? cho hacker nh?ng th�ng tin c?a n?n nh�n.
2.3. DOM-based XSS
DOM-based XSS l� m?t d?ng t?n c�ng XSS l�m thay �?i c?u tr�c c?a trang web b?ng c�ch thay �?i c?u tr�c HTML. �?i v?i d?ng t?n c�ng n�y, hacker s? ch�n c�c �o?n script nh?m l�m thay �?i giao di?n m?c �?nh c?a trang web th�nh m?t giao di?n gi?, v� d? nh� t?o ra form ��ng nh?p gi? v� d? ng�?i d�ng ��ng nh?p �? chi?m m?t kh?u c?a h?. DOM-based XSS l� m?t bi?n th? c?a Persistent XSS v� Non-Persistent XSS.
�? hi?u r? h�n v? DOM-based XSS ch�ng ta c�ng xem x�t v� d? sau:
V� d? ta c� m?t URL nh� sau http://www.victim.com/hello.php
<!DOCTYPE html>Nh� ta th?y, �o?n code tr�n d�ng �? hi?n th? n?i dung ch�o m?ng ng�?i d�ng khi ng�?i d�ng ��?c chuy?n h�?ng t?i, t�n c?a ng�?i d�ng ��?c l?y t? tham s? name tr�n URL
<html>
<body>
<?php if(isset($_GET("name"))) { echo "Hello " . $_GET["name"]; }?>
</body>
</html>
http://www.victim.com/hello.php?name=passioneryURL tr�n s? ch�o m?ng ng�?i d�ng c� t�n passionery.
M� t? d?ng t?n c�ng DOM-based XSS
Xem x�t source code c?a hello.php, ta th?y kh�ng c� s? r�ng bu?c d? li?u n�o, v? v?y, thay v? truy?n tham s? l� passionery, ta c� th? thay b?ng
<script>document.getElementById('hello').innerHTML="<label>Vui l?ng x�c nh?n l?i m?t kh?u �? ti?p t?c: </label><input type='password'/><button onclick='show()'>Submit</button>";function show(){alert('HACKED');}</script>Nh� v?y URL s? th�nh
http://www.victim.com/hello.php?name=<script>document.getElementById('hello').innerHTML="<label>Vui l?ng x�c nh?n l?i m?t kh?u �? ti?p t?c:</label><input type='password'/><button onclick='show()'>Submit</button>";function show(){alert('HACKED');}</script>Khi ��, giao di?n c?a trang web s? thay �?i th�nh
Qua v� d? tr�n ta th?y c�ch t?n c�ng c?a DOM-based XSS c?ng t��ng �?i gi?ng v?i c�ch t?n c�ng c?a Reflected XSS l� ph?i d? ng�?i d�ng click v�o link c� ch?a m? �?c �? th?c hi?n t?n c�ng. Ngo�i ra, c?ng c� th? th?y giao di?n c?a trang web c� th? b? thay �?i b?i �o?n script ��?c th�m v�o, v� sau �� n� s? th?c thi nh� l� m?t ph?n c?a trang web, nh� v?y s? l�m cho ng�?i d�ng l?m t�?ng v� hacker s? d? d�ng �?t ��?c m?c ��ch.
��?c ��ng b?i lqv5453
Ngu?n: passionery blog
Chap 19 - Nh?ng ki?n th?c c� b?n �? tr? th�nh hacker : Kh�i ni?m c� b?n v? XSS ( Cross Site Scripting)
4/
5
Oleh
Unknown
