vbscript registry write
XSS Cross Site Scripting ways. XSS is a technique for hacking Web applications. Allows the user to make an attack damage. It is a term that means all pages sites that allow the user to provide some data that can change the page to the viewer. The code is vulnerable an XSS when used in parameter input current HTML output returned.
Hits:
The first thing of concern is – what an attacker might try to obtain using XSS?
1. The theft of accounts or services: The first thing that comes to mind when XSS cookie theft and account hijacking. You can use the cookie removal account. This occurs when the cookie is used to contain all the information for verification in the client side and not stored on the server.
2. User tracking / Static: Using XSS is possible to obtain information about a user in the population of Web sites.
3. Browser / Operating Username: XSS exploitation also provides alert venerable scripts. An alert box is a simple example of such attacks fall into the category of Users of the farm.
4. Misinformation powers: Once the ActiveX Script in a browser can do what he / she may want with the content pages. If this confidence is a great site, this could be very dangerous. Disinformation is just a minor key and a quick tour horizon of thought.
5. The dissemination of free information: You can send unwanted email (e-mail garbage) by XSS vulnerable site to register a URL produced in some message board and a message very small businesses can be included in the URL itself. Again, the person should also not worry about exposing your web hosting account.
6. Other: There are several ways to operate because they are aggressors. They can use a XSS vulnerable sites large user base chewing bandwidth smaller sites.
Injection:
The important question that we believe to be the site where people can fall prey to the application?
The best way to function is the parameter passed by the argument query string that is written directly to the page. It is an active XSS attack.
But the danger is passive XSS attacks. If you are able to publish Active Scripting in your message, or to display the page of this script to run automatically without your knowledge.
Some sites are vulnerable to this attack are invited book, HTML chat room, message boards, discussion forums, etc..
Here some techniques to hit the Web application using XSS …
1. know the importance of nested appointments can escape quotes in this string like this "or" unable to use even equilivents unicode u0022 andu0027.
2. SSL (Secure Socket Layer) warn if script pages from the site is suspect, but if there is anything that I can upload as an image or article that is true. js script then you can ignore this warning because script src = file. jpg.
3. You can read the contents of pages with Java script using Internet Explorer and can also change the page.
4. We can go into a database that includes valid data for this area and HTML and Java script.
Remedy:
Now we consider the solution of this problem. XSS force is relatively easy to handle. You can filter the character of contributions received from the user.
Citing the chain ensures that the user can not escape the attribute of the element and inserts its own event handlers
Protocol must be verified and should be denied anything that is not explicitly http://. We must not allow file: / / protocol links or images and javascript: / /, and VBScript: / /.
We must reject the URL you? Or refer to a server script. This would deny users the possibility of error in the web surfers. The danger of what could be the collection statistics on users and the site and the user to follow through the pages of their referents.
But prevention is totally passive XSS different. We all know that HTML is a language very dynamic and fluid. It allows the site to be the most advanced and colorful as is. But sometimes it becomes the reason for this nightmare: how to filter this? So the best way of prevention is that we must give permission for it to user can not use any HTML code in your data.
Final:
We can not allow our server XSS attack. It must be because the customer loses his credit card, your account is managed … the best way to solve this problem is to disable the Visual Basic script and the Java script in the browser …
