Ukuhlasela kwe-Cyber ​​​​: ukuthi kuyini, kusebenza kanjani, inhloso nokuthi ungakuvimbela kanjani: Izimbungulu ze-XSS ezingabangela ukuvala kwesistimu okuphelele

Namuhla sibona ubungozi obuthile be-Cross Site Scripting (XSS) obutholakala kwezinye izinhlelo zokusebenza zomthombo ovulekile, futhi obungabangela ukusetshenziswa kwekhodi yesilawuli kude.

Ochwepheshe be-Cybersecurity basabalalise ulwazi ngobungozi obuthathu be-cross-site scripting (XSS) kuzinhlelo zokusebenza zomthombo ovulekile ezidumile ezingabangela ukukhishwa kwekhodi yesilawuli kude (RCE).

Ukuhlasela kwe-XSS yakudala kuvumela ikhodi ye-JavaScript yomlingisi osongelayo ukuthi isetshenziswe esipheqululini sewebhu somsebenzisi oyisisulu, esivula umnyango wokwebiwa kwekhukhi, ukuqondisa kabusha kusayithi lobugebengu bokweba imininingwane ebucayi, nokunye okuningi.

Manje ake sibheke okunye ubuthakathaka obutholakele

I-Cross-Site Scripting (XSS) ingenye yokuhlasela okusabalele kakhulu ezinhlelweni zokusebenza zewebhu. Uma umlingisi osongelayo esebenzisa ikhodi ye-javascript kokuphumayo kohlelo lokusebenza, akagcini ngokuntshontsha amakhukhi, kodwa futhi ngezinye izikhathi kuholela ekupheleleni ekonakaleni kwamasistimu.

I-Evolution CMS V3.1.8

Isiphazamisi sokuqala, i-Evolution CMS V3.1.8, ivumela isigebengu se-inthanethi ukuthi siqalise ukuhlasela kwe-XSS okubonakalayo ezindaweni ezihlukahlukene esigabeni sokuphatha. U-Aleksey Solovev uthi uma kwenzeka ukuhlaselwa okuphumelelayo kumlawuli ogunyaziwe ohlelweni, ifayela le-index.php lizobhalwa ngaphezulu ngekhodi umhlaseli ayibeka ekulayisheni.

I-FUDForum v3.1.1

Ukuba sengozini kwesibili, okutholwe ku-FUDForum v3.1.1, kungavumela isigebengu se-inthanethi ukuthi siqalise ukuhlasela kwe-XSS egciniwe. U-Aleksey Solovev uthi i-FUDforum iyinkundla yezingxoxo eshesha kakhulu futhi eyingozi. Yenziwa ngendlela oyifisayo kakhulu futhi isekela amalungu angenamkhawulo, izinkundla, okuthunyelwe, izihloko, ukuvota, nokunamathiselwe.

Iphaneli yokuphatha ye-FUDforum inomphathi wefayela okuvumela ukuthi ulayishe amafayela kuseva, okuhlanganisa namafayela anesandiso se-PHP. Umhlaseli angasebenzisa i-XSS efakwe kungobo yomlando ukuze alayishe ifayela le-PHP elingasebenzisa noma yimuphi umyalo kuseva.

I-Bitbucket v4.37.1

Ebucayini bakamuva, i-Bitbucket v4.37.1, kutholwe iphutha lezokuphepha elingavumela umhlaseli ukuthi aqalise ukuhlasela kwe-XSS okugcinwe ezindaweni ezihlukahlukene. U-Aleksey Solovev uthi ukuba nokuhlasela kwe-XSS okufakwe kungobo yomlando kungazama ukukusebenzisa ukuze kusetshenziswe ikhodi kuseva. Iphaneli yomqondisi inamathuluzi okuqalisa imibuzo ye-SQL.

I-GitBucket isebenzisa i-H2 Database Engine ngokuzenzakalelayodefinita. Kule database, kukhona ukuxhashazwa okutholakala esidlangalaleni ukuze kuzuzwe ukusetshenziswa kwekhodi okukude. Ngakho-ke, konke umhlaseli okudingeka akwenze ukudala ikhodi ye-PoC esekelwe kulokhu kuxhaphaza, ayilayishe endaweni yokugcina, futhi ayisebenzise ngesikhathi sokuhlasela:

Ungakuvimbela kanjani ukuba khona kobuthakathaka

Hlala ubuyekeza inkundla yomthombo ovulekile, faka ngokushesha noma yiziphi iziqephu zokulungisa.

Cela iseluleko, ukuhlaziya, isilinganiso sokuthi uvikela kanjani isistimu yakho.

UKUHLOLWA KWEZOKUPHEPHA

Kuyinqubo eyisisekelo yokukala izinga lamanje lokuphepha lenkampani yakho.

Ukwenza lokhu kuyadingeka ukufaka ithimba le-Cyber ​​​​elilungiselelwe ngokwanele, elikwazi ukwenza ukuhlaziya isimo lapho inkampani izithola ikuso ngokuphathelene nokuphepha kwe-IT.

Ukuhlaziywa kungenziwa ngokuvumelanayo, ngenhlolokhono eyenziwa yi-Cyber ​​​​Team noma

futhi i-asynchronous, ngokugcwalisa uhlu lwemibuzo ku-inthanethi.

Singakusiza, xhumana nochwepheshe be ilwebcreativo.ibhalela ku-info@ilwebcreativo.it noma ngokuxoxa ku-whatsapp ngokuqondile usebenzisa isithonjana esingezansi kwesokudla.

UKUQWASHWA KWEWEBHU YOKUVIKELA: ukuhlaziywa kweWEBHU EMNYAMA

Iwebhu emnyama isho okuqukethwe kwe-World Wide Web kuma-darknets angafinyelelwa nge-inthanethi ngesofthiwe ethile, ukucupha kanye nokufinyelela.
Ngokugada kwethu Iwebhu Yezokuphepha siyakwazi ukuvimbela futhi siqukathe ukuhlaselwa ku-inthanethi, kusukela ekuhlaziyweni kwesizinda senkampani (isb.: ilwebcreativo.it ) kanye namakheli e-imeyili angawodwana.

Xhumana nathi nge-vhatsapp, singalungiselela uhlelo lokulungisa ukuhlukanisa usongo, ukuvimbela ukusabalala kwayo kanye defisithatha izinyathelo ezidingekayo zokulungisa. Isevisi inikezwa 24/XNUMX evela e-Italy

I-CYBERDRIVE: uhlelo lokusebenza oluvikelekile lokwabelana nokuhlela amafayela

I-CyberDrive ingumphathi wefayela lefu onamazinga aphezulu okuphepha ngenxa yokubethela okuzimele kwawo wonke amafayela. Qinisekisa ukuvikeleka kwedatha yebhizinisi ngenkathi usebenza efwini futhi wabelana futhi uhlela amadokhumenti nabanye abasebenzisi. Uma uxhumano lulahlekile, ayikho idatha egcinwa ku-PC yomsebenzisi. I-CyberDrive ivimbela amafayela ukuthi alahleke ngenxa yokulimala kwengozi noma akhishelwe ukweba, kungaba okoqobo noma okwedijithali.

«THE CUBE»: ikhambi izinguquko

Isikhungo sedatha esincane kunazo zonke nesinamandla kakhulu se-in-a-box esinikeza amandla ekhompuyutha nesivikelo ekulimaleni ngokomzimba nokunengqondo. Idizayinelwe ukuphathwa kwedatha ezindaweni ezisemaphethelweni naserobo, izindawo zokudayisa, amahhovisi ochwepheshe, amahhovisi akude kanye namabhizinisi amancane lapho isikhala, izindleko kanye nokusetshenziswa kwamandla kubalulekile. Ayidingi izikhungo zedatha namakhabhinethi ama-rack. Ingabekwa kunoma yiluphi uhlobo lwendawo ngenxa yomthelela wobuhle obuhambisana nezindawo zokusebenza. «I-Cube» ibeka ubuchwepheshe besoftware yebhizinisi ensizeni yamabhizinisi amancane naphakathi nendawo.

Ubani oxazululayo:

Ukuze uphenye izinkinga zokuphepha, ukuxazulula ubungozi, ukuvikela isistimu yakho yolwazi, hlala uthembele kochwepheshe kulo mkhakha:

• Izingcingo HRC srl + 39 011 8190569
• noma uthumele i-imeyili ku-Rocco D'Agostino rda@rhrcsrl.it
• noma uthumele i-imeyili ku Ercole Palmeri ercolep@ilwebcreativo.it

Emasontweni edlule sibhekane nezihloko ezilandelayo eziphathelene neCyber ​​​​Security:

1. Main in the Middle attack
2. I-Malware
3. Ubugebengu bokweba imininingwane ebucayi kanye nobugebengu bokweba imininingwane ebucayi
4. Ukuhlasela nge-Interception
5. Dlula ngemoto
6. I-Cross site scripting (XSS)
7. SQL Injection attack
8. Isibonelo sokusabalalisa uhlelo olungayilungele ikhompuyutha
9. I-Google Drayivu ne-Dropbox: Ithagethi ye-APT29, iqoqo lezigebengu ze-Russian
10. Ukuhlasela Kumaphasiwedi
11. Amathrendi e-Cyber ​​​​Attack: Umbiko Wesigamu Sokuqala 2022 - Hlola Isofthiwe Yephuzu

Ercole Palmeri: I-Innovation iyalutha

A