xss實戰
TRANSCRIPT
![Page 1: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/1.jpg)
XSS攻擊
![Page 2: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/2.jpg)
講者簡介⼤大同⼤大學.資⼯工3年⽣生
TDOHacker.幹部
![Page 3: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/3.jpg)
先來點前置技能
JavaScript
Javascript跟Java的關係就像熱狗跟狗⼀一樣
![Page 4: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/4.jpg)
先來點前置技能
JavaScript
Javascript跟Java的關係就像熱狗跟狗⼀一樣
沒有關係
![Page 5: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/5.jpg)
Javascript基礎
alert
console.log
![Page 6: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/6.jpg)
Live Demo 因為沒有環境
所以就算了(被毆打)
![Page 7: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/7.jpg)
再來點前置技能
Cookie
![Page 8: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/8.jpg)
Cookie
Cookie是⽤用來驗證網⾴頁上的使⽤用者
PHPSESSION
ASPSESSION
JSESSION
![Page 9: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/9.jpg)
Cookie - 實例
噓~知道的不要講
![Page 10: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/10.jpg)
![Page 11: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/11.jpg)
回歸正題
![Page 12: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/12.jpg)
XSS
全名:Cross-Site Scripting(跨站指令碼攻擊)
危害:中等(VulReport評等)
作⽤用:可竄改網⾴頁內容、︑進⾏行網⾴頁操作、︑偷取Cookie
常⾒見區域:網⾴頁留⾔言板、︑登入畫⾯面等
![Page 13: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/13.jpg)
Live Demo 因為沒有環境
所以就算了(被毆打)
![Page 14: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/14.jpg)
XSS 進階⼿手法
String.formCharCode()、︑eval()
img、︑body、︑svg
SELF XSS
![Page 15: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/15.jpg)
Live Demo 因為沒有環境
所以就算了(被毆打)
![Page 16: xss實戰](https://reader033.vdocuments.mx/reader033/viewer/2022042716/55adc2721a28ab11548b4750/html5/thumbnails/16.jpg)
如何防範XSS︖?
盡量避免讓使⽤用者輸入的資料顯⽰示在畫⾯面上
在必要的輸出時,⼀一定要進⾏行過濾
htmlentities()
以IPS防禦時應注意規則