XSS Attack

I. Mt s k thut, hnh thc tn cng

- Ti cc input ( textbox, textarea, ) thay v nhp cc username, password, cmt,
ta s nhp vo cc on code js, html nh sau:
+ To ra mt alert cho ngi dng :
<script> alert( 'hello' ); </script>
+ Thay i cc phn t trong ton b site ang hin th bng cch s dng DOM: v
d: thay i thuc tnh href ca tt c cc th <a> redirect n mt address khc.
+ Thay i ton b ni dung trang web:
<script> document.write( 'I am Quy' ); </script>
+ Thay i thuc tnh action ca cc form d liu form c chuyn n mt file
action khc ca attacker ly cc d liu ny.
<script>
document.form[0].action = 'fakelogin.php';
</script>
Nh vy mt s tc hi :
+ Thay i cch hin th ca trang web.
+ Ly d liu c nhp t user khc: username, pass,
+ Thay i cc s kin khi ngi dng click, hover, ...
-

II. Mc ch tn cng XSS

- XSS ko tn cng website m l tn cng ngi dng.
- Mt s mc ch:
+ Cookie: hacker c th chn cc on script c hi ly cookie ca user v hacker
s s dng cookie ny gi mo phin truy cp, hoc ly cc data nhy cm trong
cookie ny.
+ Keylogging: hacker s ghi li cc thao tc g phm ca ngoi dng bng cch s
dng s kin addEventListener v gi cho hacker khai thc, ly cc thng tin v
pass, m s ti khon ngn hng,
+ Phishing: hacker c th thay i giao din website nh la ngi dng, to ra

cc form login gi ly cp password,