13. 【內部使用】
近年重大網站安全漏洞與事件
Google (04 Jul., XSS): Account leakage 帳號外洩
Consequences: Leakage of customer data
Paypal (16 Jun., XSS): Account leakage, Business loss 帳號外洩
Consequences: Leakage of customer data and financial loss
Myspace (16 Jul., XSS): Account leakage 帳號外洩
World's No.1 most visited website with 70M members
Consequences: Leakage of customer data
Netscape.com (26 Jul., XSS): Business loss
Netscape introduced its Digg.com-style service and offered $1,000 conversion reward
Consequences: Customers redirect to competitor’s website!
Sourceforge got hacked by XSS (09 Apr.): Tainted Repository內容遭汙染
Consequences: Hosting tainted repository
Many others:
Hotmail (XSS), Yahoo Mail (XSS), ICQ (XSS)
12
25. 【內部使用】
實務案例: 提供名字查詢卡號
Ÿ 當輸入Smith時,會將資料庫中符合Smith的資
料顯示至頁面
Ÿ Can he also see others’ credit card numbers?
Ÿ It’s not easy to guess the name one by one
though…
24
26. 【內部使用】
以OR 1=1概念作SQL注入
Ÿ SELECT * FROM user_data WHERE
last_name='Smith' OR '1'='1'--'
25