Original URL: http: //www.e3i5.com/html/2004-6-18/2004618171625.htmhttp: //wvw.ttian.net/article/show.php id = 164 Author:? Feng Qingyang Recently, due to the Find some sites still exist of UBB cross-station script attacks. Although cross-station script attacks rarely cause some of the more affected services, for a site, there is such a vulnerability. It is too not worth it! Small Then, what is going out, change the homepage; the main page is changed; he will steal the user's cookies information, and it will gly off the browser's hard drive. A site is turned into a malicious website, who dares? If you add "blind", it is not messy. Do you really make a site so that you can see the so-called cross-station script attack? What kind of attack mode will be made. Enter a site containing UBB features, such as message board, forum, or site with submission procedures. First, tell the simplest script attack:
and other HTML characters Filtering problem. Log in to a CGI production site. Looking at the CGI site with the original ASP's eyes, I feel that the filtering of the script should be very good. So I first test. Fill
in the user column After registration, I didn't propose illegal characters. After the registration is completed, click on the information and find the page deformation. If you fill in other countries, you will have the same problem, that page can't look. Changed a site, then submit
The illegal character prompt appeared, it seems that the site is the <> other HTML script characters that have been filtered, that's fine, we use the ASCII code to replace <> like & # 60; & # 62 After instead of submission, then there has been the case of the above page deformation. It seems that the illegal filtering mechanism is not very perfect. What is even, I found that there is no word size when I have a name bar in a site, no filtering any Illegal characters, if I submit something malicious code, I still don't fulfill me? Simple script attacks such as
