- Ti cc input ( textbox, textarea, ) thay v nhp cc username, password, cmt, ta s nhp vo cc on code js, html nh sau: + To ra mt alert cho ngi dng : <script> alert( 'hello' ); </script> + Thay i cc phn t trong ton b site ang hin th bng cch s dng DOM: v d: thay i thuc tnh href ca tt c cc th <a> redirect n mt address khc. + Thay i ton b ni dung trang web: <script> document.write( 'I am Quy' ); </script> + Thay i thuc tnh action ca cc form d liu form c chuyn n mt file action khc ca attacker ly cc d liu ny. <script> document.form[0].action = 'fakelogin.php'; </script> Nh vy mt s tc hi : + Thay i cch hin th ca trang web. + Ly d liu c nhp t user khc: username, pass, + Thay i cc s kin khi ngi dng click, hover, ... -
II. Mc ch tn cng XSS
- XSS ko tn cng website m l tn cng ngi dng. - Mt s mc ch: + Cookie: hacker c th chn cc on script c hi ly cookie ca user v hacker s s dng cookie ny gi mo phin truy cp, hoc ly cc data nhy cm trong cookie ny. + Keylogging: hacker s ghi li cc thao tc g phm ca ngoi dng bng cch s dng s kin addEventListener v gi cho hacker khai thc, ly cc thng tin v pass, m s ti khon ngn hng, + Phishing: hacker c th thay i giao din website nh la ngi dng, to ra