???????γ????????????????????????????
??????????????????????????????(???????????????? ??:?????????????????????????У??)???м??????????????Σ??????? ?????????????????????????й???????????.
??????????????????????????????(????????)????????????????????????????????????У??????????????????м?????????????????????????????:
?????????????????????FIELD???????????????????Χ(?????????????????????)
?????????????????????????漲???????????????????Χ?????ó???????????????κδ????????????????????.
???????????в????????У?????????????????????????в???.
????2.Cross-site scritping(XSS):(???????????)
????(1)??ν???XSS?????
????<!--[if !supportLists]-->???????????в????????URL???? ?????棬??????棬??????????????? ??????
????<!--[if !supportLists]-->??Σ??????????????????????(??:Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash)?????в????
????<scr??pt>alert(document.cookie)</scr??pt>
?????????????? ??????????????????????????????????cookie??????????????????XSS?????
?????????????????????????????????????????????ξ?????????????????????????????????cookie???????????? ????????????????????????????????????????
????(2)??????XSS????
????????ó???????????????????????????:
??????Javascr??pt??VB scr??pt?? HTML??ActiveX?? Flash?? ?????????????.
?????? ?????????????????????????(??????????????????:?????????????????????????У??)???м??????????????Σ?????????????????????????? ??????й???????????.
??????????????????????????????????в??????????????????XSS???:
????????????????ж?????????????????????????????? ???Χ????????????????????HTML???????????????塣
??????в????????????????????м?顣
????3.CSRF:(?????α??????)
????CSRF???????????????????XSS??????????XSS??????????????????????????
????XSS???????????????????????CSRF?????α???????????????????????????????ε??????
????XSS????CSRF??????????????????????????????SESSION ?? COOKIES??
????(1)??ν???CSRF?????
????????????????????????????м?顣
????(2)??????CSRF?????
???????????????????
????4.Email Header Injection(?????????)
????Email Header Injection???????????????email??????п??????“subject”???????????????????????subject?????escape??“ ”?????
????<!--[if !supportLists]--><!--[endif]-->???“ ”?????У??????subject??????“hello cc:spamvictim@example.com”????????γ?????
????Subject: hello
????cc: spamvictim@example.com
????<!--[if !supportLists]--><!--[endif]-->???????????????????subject???????????????????????????????????????? ???????????????
????5.Directory Traversal(??????)
??????1????ν??????????????
??????????????????????????????й???????????“../”??“./”?????????????????????????????????????????????????????????????
???????????????URL???????????????“../”??“./”??????????ESCAPE??????Щ?????????
??????2????????????????
????????Web?????????????????
?????? ????????????????????????????·??
????6.exposed error messages(???????)
??????1????ν??в????
?????? ??????Щ??????棬????404????500??檔
????????????δ???????????£??????????????????????????“????????治?? ??”?????????????Щ???????
??????2??????????
??????????????????????????????????? ????????飬?????????????????????????????????????????