SQL cho ph\u00e9p giao ti\u1ebfp v\u1edbi d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef trong c\u01a1 s\u1edf d\u1eef li\u1ec7u, d\u00f9 ch\u00fang \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef c\u1ee5c b\u1ed9 hay \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 web t\u1eeb xa. Ng\u00f4n ng\u1eef n\u00e0y cho ph\u00e9p ch\u00fang ta tr\u00edch xu\u1ea5t v\u00e0 s\u1eeda \u0111\u1ed5i th\u00f4ng tin b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00e1c script ho\u1eb7c ch\u01b0\u01a1ng tr\u00ecnh nh\u1ecf. Nhi\u1ec1u m\u00e1y ch\u1ee7 l\u01b0u tr\u1eef th\u00f4ng tin cho c\u00e1c d\u1ecbch v\u1ee5 ho\u1eb7c \u1ee9ng d\u1ee5ng ph\u1ee5 thu\u1ed9c v\u00e0o SQL.<\/p>\n\n\n\n
Nh\u01b0 OPSWAT gi\u1ea3i th\u00edch, m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng SQL injection nh\u1eafm v\u00e0o c\u00e1c m\u00e1y ch\u1ee7 n\u00e0y, s\u1eed d\u1ee5ng m\u00e3 \u0111\u1ed9c h\u1ea1i \u0111\u1ec3 tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u \u0111\u00e3 l\u01b0u. T\u00ecnh hu\u1ed1ng n\u00e0y c\u00f3 th\u1ec3 tr\u1edf n\u00ean \u0111\u1eb7c bi\u1ec7t \u0111\u00e1ng lo ng\u1ea1i n\u1ebfu d\u1eef li\u1ec7u l\u01b0u tr\u1eef bao g\u1ed3m th\u00f4ng tin kh\u00e1ch h\u00e0ng ri\u00eang t\u01b0, ch\u1eb3ng h\u1ea1n nh\u01b0 s\u1ed1 th\u1ebb t\u00edn d\u1ee5ng, t\u00ean ng\u01b0\u1eddi d\u00f9ng, m\u1eadt kh\u1ea9u ho\u1eb7c th\u00f4ng tin m\u1eadt.<\/p>\n\n\n\n M\u1ed9t s\u1ed1 v\u00ed d\u1ee5 ph\u1ed5 bi\u1ebfn v\u1ec1 SQL injection bao g\u1ed3m:<\/p>\n\n\n\n Trong lo\u1ea1i t\u1ea5n c\u00f4ng m\u1ea1ng n\u00e0y, ng\u01b0\u1eddi d\u00f9ng l\u00e0 m\u1ee5c ti\u00eau thay v\u00ec m\u00e1y ch\u1ee7, v\u00ec cu\u1ed9c t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c th\u1ef1c thi trong tr\u00ecnh duy\u1ec7t c\u1ee7a ng\u01b0\u1eddi d\u00f9ng khi h\u1ecd truy c\u1eadp v\u00e0o \u0111\u00f3, kh\u00f4ng ph\u1ea3i tr\u00ean ch\u00ednh m\u00e1y ch\u1ee7. M\u1ed9t ph\u01b0\u01a1ng ph\u00e1p cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng cross-site nh\u01b0 v\u1eady l\u00e0 ti\u00eam m\u00e3 \u0111\u1ed9c v\u00e0o m\u1ed9t b\u00ecnh lu\u1eadn ho\u1eb7c k\u1ecbch b\u1ea3n ch\u1ea1y t\u1ef1 \u0111\u1ed9ng. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng cross-site scripting c\u00f3 th\u1ec3 l\u00e0m t\u1ed5n h\u1ea1i nghi\u00eam tr\u1ecdng \u0111\u1ebfn uy t\u00edn c\u1ee7a m\u1ed9t trang web b\u1eb1ng c\u00e1ch x\u00e2m ph\u1ea1m th\u00f4ng tin ng\u01b0\u1eddi d\u00f9ng m\u00e0 kh\u00f4ng \u0111\u1ec3 l\u1ea1i d\u1ea5u v\u1ebft hay ch\u1ec9 d\u1eabn c\u1ee7a ho\u1ea1t \u0111\u1ed9ng \u0111\u1ed9c h\u1ea1i.<\/p>\n\n\n\n Cross-site scripting (XSS) l\u00e0 m\u1ed9t h\u00ecnh th\u1ee9c t\u1ea5n c\u00f4ng m\u1ea1ng, trong \u0111\u00f3 nh\u1eefng k\u1ebb x\u1ea5u ti\u00eam m\u1ed9t \u0111o\u1ea1n m\u00e3 \u0111\u1ed9c h\u1ea1i v\u00e0o m\u1ed9t trang web, sau \u0111\u00f3 \u0111o\u1ea1n m\u00e3 n\u00e0y \u0111\u01b0\u1ee3c x\u1eed l\u00fd v\u00e0 th\u1ef1c thi. Cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y th\u01b0\u1eddng d\u1ef1a v\u00e0o s\u1ef1 tin t\u01b0\u1edfng c\u1ee7a trang web \u0111\u1ed1i v\u1edbi d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng v\u00e0 bao g\u1ed3m vi\u1ec7c g\u1eedi m\u1ed9t URL ch\u1ee9a payload \u0111\u1ed9c h\u1ea1i t\u1edbi ng\u01b0\u1eddi d\u00f9ng m\u1ee5c ti\u00eau. M\u1ee5c ti\u00eau ch\u00ednh c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng XSS l\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u c\u00e1 nh\u00e2n, cookie phi\u00ean v\u00e0 s\u1eed d\u1ee5ng c\u00e1c k\u1ef9 thu\u1eadt k\u1ef9 x\u1ea3o x\u00e3 h\u1ed9i, b\u00ean c\u1ea1nh c\u00e1c m\u1ee5c ti\u00eau kh\u00e1c. C\u00f3 ba lo\u1ea1i t\u1ea5n c\u00f4ng XSS ch\u00ednh, v\u00e0 ch\u00fang ta s\u1ebd c\u00f9ng th\u1ea3o lu\u1eadn t\u1eebng lo\u1ea1i v\u00e0 c\u00e1c b\u01b0\u1edbc c\u1ea7n thi\u1ebft \u0111\u1ec3 b\u1ea3o v\u1ec7 m\u00ecnh kh\u1ecfi ch\u00fang:<\/p>\n\n\n\n K\u1ec3 t\u1eeb khi ph\u00e1t hi\u1ec7n ra l\u1ed7 h\u1ed5ng ban \u0111\u1ea7u, \u0111\u00e3 c\u00f3 nhi\u1ec1u nghi\u00ean c\u1ee9u s\u00e2u r\u1ed9ng trong l\u0129nh v\u1ef1c n\u00e0y. Khi c\u00e1c ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh ph\u00e1t tri\u1ec3n, c\u00e1c ph\u01b0\u01a1ng ph\u00e1p m\u1edbi \u0111\u1ec3 khai th\u00e1c Cross-Site Scripting xu\u1ea5t hi\u1ec7n, do s\u1ef1 \u0111a d\u1ea1ng c\u1ee7a c\u00e1c ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh v\u00e0 c\u00e1ch ti\u1ebfp c\u1eadn ph\u00e1t tri\u1ec3n web. M\u1ed9t v\u00ed d\u1ee5 th\u00fa v\u1ecb l\u00e0 JSFuck, m\u1ed9t phong c\u00e1ch l\u1eadp tr\u00ecnh ch\u1ec9 s\u1eed d\u1ee5ng s\u00e1u k\u00fd t\u1ef1 v\u00e0 c\u00f3 th\u1ec3 t\u1ea1o ra v\u00e0 th\u1ef1c thi m\u00e3 JavaScript v\u1edbi s\u1ed1 l\u01b0\u1ee3ng k\u00fd t\u1ef1 t\u1ed1i thi\u1ec3u, d\u1ef1a tr\u00ean ch\u00ednh ng\u00f4n ng\u1eef JavaScript. Vi\u1ec7c xem x\u00e9t phong c\u00e1ch l\u1eadp tr\u00ecnh n\u00e0y l\u00e0 \u0111i\u1ec1u c\u1ea7n thi\u1ebft khi x\u00e2y d\u1ef1ng c\u00e1c chi\u1ebfn l\u01b0\u1ee3c gi\u1ea3m thi\u1ec3u m\u1ecdi h\u00ecnh th\u1ee9c Cross-Site Scripting.<\/p>\n\n\n C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y li\u00ean quan \u0111\u1ebfn vi\u1ec7c l\u00e0m ng\u1eadp m\u1ed9t trang web b\u1eb1ng l\u01b0u l\u01b0\u1ee3ng truy c\u1eadp, khi\u1ebfn m\u00e1y ch\u1ee7 c\u1ee7a n\u00f3 b\u1ecb qu\u00e1 t\u1ea3i v\u1edbi c\u00e1c y\u00eau c\u1ea7u v\u00e0 kh\u00f4ng th\u1ec3 hi\u1ec3n th\u1ecb n\u1ed9i dung cho ng\u01b0\u1eddi d\u00f9ng. Trong nhi\u1ec1u tr\u01b0\u1eddng h\u1ee3p, c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng m\u1ea1ng n\u00e0y \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n \u0111\u1ed3ng th\u1eddi b\u1edfi nhi\u1ec1u m\u00e1y t\u00ednh, l\u00e0m cho ch\u00fang tr\u1edf n\u00ean \u0111\u1eb7c bi\u1ec7t kh\u00f3 kh\u0103n \u0111\u1ec3 \u0111\u1ed1i ph\u00f3. K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 xu\u1ea5t ph\u00e1t t\u1eeb nhi\u1ec1u \u0111\u1ecba ch\u1ec9 IP kh\u00e1c nhau tr\u00ean to\u00e0n c\u1ea7u, l\u00e0m ph\u1ee9c t\u1ea1p th\u00eam vi\u1ec7c x\u00e1c \u0111\u1ecbnh ngu\u1ed3n g\u1ed1c ti\u1ec1m \u1ea9n.<\/p>\n\n\n\n Cu\u1ed9c t\u1ea5n c\u00f4ng m\u1ea1ng n\u00e0y nh\u1eb1m v\u00e0o vi\u1ec7c l\u00e0m v\u00f4 hi\u1ec7u h\u00f3a m\u1ed9t h\u1ec7 th\u1ed1ng, \u1ee9ng d\u1ee5ng ho\u1eb7c m\u00e1y m\u00f3c, c\u1ea3n tr\u1edf d\u1ecbch v\u1ee5 d\u1ef1 \u0111\u1ecbnh c\u1ee7a n\u00f3. Cu\u1ed9c t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 nh\u1eafm v\u00e0o ngu\u1ed3n th\u00f4ng tin (v\u00ed d\u1ee5: m\u1ed9t \u1ee9ng d\u1ee5ng), k\u00eanh truy\u1ec1n th\u00f4ng ho\u1eb7c m\u1ea1ng m\u00e1y t\u00ednh. C\u00e1c m\u00e1y ch\u1ee7 web c\u00f3 kh\u1ea3 n\u0103ng h\u1ea1n ch\u1ebf trong vi\u1ec7c x\u1eed l\u00fd c\u00e1c y\u00eau c\u1ea7u ho\u1eb7c k\u1ebft n\u1ed1i ng\u01b0\u1eddi d\u00f9ng; v\u01b0\u1ee3t qua gi\u1edbi h\u1ea1n n\u00e0y c\u00f3 th\u1ec3 l\u00e0m ch\u1eadm ho\u1eb7c d\u1eebng ph\u1ea3n h\u1ed3i c\u1ee7a m\u00e1y ch\u1ee7, c\u00f3 th\u1ec3 g\u00e2y ra s\u1ef1 ng\u1eaft k\u1ebft n\u1ed1i. Denial of Service (DoS) v\u00e0 Distributed Denial of Service (DDoS) l\u00e0 hai k\u1ef9 thu\u1eadt \u0111\u1ec3 th\u1ef1c hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nh\u01b0 v\u1eady. S\u1ef1 kh\u00e1c bi\u1ec7t ch\u00ednh l\u00e0 s\u1ed1 l\u01b0\u1ee3ng m\u00e1y t\u00ednh ho\u1eb7c IP tham gia v\u00e0o cu\u1ed9c t\u1ea5n c\u00f4ng.<\/p>\n\n\n\n Trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng DoS, nhi\u1ec1u y\u00eau c\u1ea7u \u0111\u1ebfn d\u1ecbch v\u1ee5 xu\u1ea5t ph\u00e1t t\u1eeb c\u00f9ng m\u1ed9t m\u00e1y ho\u1eb7c \u0111\u1ecba ch\u1ec9 IP, l\u00e0m ti\u00eau t\u1ed1n t\u00e0i nguy\u00ean \u0111\u01b0\u1ee3c cung c\u1ea5p. Cu\u1ed1i c\u00f9ng, d\u1ecbch v\u1ee5 tr\u1edf n\u00ean qu\u00e1 t\u1ea3i v\u00e0 b\u1eaft \u0111\u1ea7u t\u1eeb ch\u1ed1i y\u00eau c\u1ea7u, d\u1eabn \u0111\u1ebfn vi\u1ec7c t\u1eeb ch\u1ed1i d\u1ecbch v\u1ee5. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng DDoS, m\u1eb7t kh\u00e1c, li\u00ean quan \u0111\u1ebfn nhi\u1ec1u m\u00e1y t\u00ednh ho\u1eb7c \u0111\u1ecba ch\u1ec9 IP \u0111\u1ed3ng th\u1eddi nh\u1eafm v\u00e0o c\u00f9ng m\u1ed9t d\u1ecbch v\u1ee5. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng DDoS kh\u00f3 ph\u00e1t hi\u1ec7n h\u01a1n v\u00ec c\u00e1c y\u00eau c\u1ea7u \u0111\u1ebfn t\u1eeb c\u00e1c IP kh\u00e1c nhau, khi\u1ebfn cho qu\u1ea3n tr\u1ecb vi\u00ean kh\u00f4ng th\u1ec3 ch\u1eb7n \u0111\u1ecba ch\u1ec9 IP y\u00eau c\u1ea7u nh\u01b0 h\u1ecd c\u00f3 th\u1ec3 l\u00e0m trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng DoS.<\/p>\n\n\n\n M\u00e1y t\u00ednh tham gia v\u00e0o m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng DDoS \u0111\u01b0\u1ee3c tuy\u1ec3n d\u1ee5ng th\u00f4ng qua vi\u1ec7c nhi\u1ec5m ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, bi\u1ebfn ch\u00fang th\u00e0nh bot ho\u1eb7c zombie m\u00e0 t\u1ed9i ph\u1ea1m m\u1ea1ng c\u00f3 th\u1ec3 \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa. M\u1ed9t nh\u00f3m bot, t\u1ee9c l\u00e0 c\u00e1c m\u00e1y t\u00ednh b\u1ecb nhi\u1ec5m c\u00f9ng m\u1ed9t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, t\u1ea1o th\u00e0nh m\u1ed9t m\u1ea1ng bot \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 m\u1ea1ng l\u01b0\u1edbi zombie. M\u1ea1ng l\u01b0\u1edbi n\u00e0y c\u00f3 kh\u1ea3 n\u0103ng v\u01b0\u1ee3t tr\u1ed9i trong vi\u1ec7c l\u00e0m qu\u00e1 t\u1ea3i c\u00e1c m\u00e1y ch\u1ee7 so v\u1edbi m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng th\u1ef1c hi\u1ec7n b\u1edfi m\u1ed9t m\u00e1y t\u00ednh duy nh\u1ea5t.<\/p>\n\n\n\n K\u1ebft lu\u1eadn<\/strong><\/p>\n\n\n\n Do \u0111\u00f3, d\u1ef1a tr\u00ean th\u00f4ng tin \u0111\u00e3 n\u00eau tr\u00ean, c\u00e1c m\u1ed1i \u0111e d\u1ecda m\u1ea1ng hi\u1ec7n t\u1ea1i bao g\u1ed3m Malware, Ransomware, Virus, Worms, Trojan, Denial of Service, Rootkits, Phishing, Spyware, Adware v\u00e0 c\u00e1c s\u1ef1 k\u1ebft h\u1ee3p c\u1ee7a ch\u00fang \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3 b\u1edfi c\u00e1c c\u01a1 ch\u1ebf t\u1ea5n c\u00f4ng m\u1ea1ng kh\u00e1c nhau. <\/p>\n\n\n\n C\u00e1c lo\u1ea1i t\u1ea5n c\u00f4ng n\u00e0y th\u01b0\u1eddng ph\u1ee5 thu\u1ed9c v\u00e0o nhau, s\u1eed d\u1ee5ng nhi\u1ec1u k\u1ef9 thu\u1eadt trong m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng duy nh\u1ea5t. V\u00ed d\u1ee5, m\u1ed9t Trojan c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c tri\u1ec3n khai \u0111\u1ec3 b\u1eaft \u0111\u1ea7u m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng DDoS sau n\u00e0y, trong khi m\u1ed9t Rootkit c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c th\u1ef1c thi sau khi thu th\u1eadp \u0111\u01b0\u1ee3c m\u1eadt kh\u1ea9u th\u00f4ng qua phishing.<\/p>\n\n\n\n Do \u0111\u00f3, d\u1ef1a tr\u00ean th\u00f4ng tin \u0111\u00e3 n\u00eau tr\u00ean, c\u00e1c m\u1ed1i \u0111e d\u1ecda m\u1ea1ng hi\u1ec7n t\u1ea1i bao g\u1ed3m Malware, Ransomware, Virus, Worms, Trojan, Denial of Service, Rootkits, Phishing, Spyware, Adware v\u00e0 c\u00e1c s\u1ef1 k\u1ebft h\u1ee3p c\u1ee7a ch\u00fang \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3 b\u1edfi c\u00e1c c\u01a1 ch\u1ebf t\u1ea5n c\u00f4ng m\u1ea1ng kh\u00e1c nhau.<\/p>","protected":false},"excerpt":{"rendered":"![\"T\u1ea5n](\"http:\/\/securitybriefing.net\/wp-content\/uploads\/2023\/04\/common-SQL-injection.jpg\")
<\/figure>\n\n\n\n\n
T\u1ea5n c\u00f4ng Xuy\u00ean trang (XSS)<\/strong><\/h2>\n\n\n
![\"T\u1ea5n](\"http:\/\/securitybriefing.net\/wp-content\/uploads\/2023\/04\/Cross-Site-Scripting-XSS.jpg\")
<\/figure>\n\n\n\n\n
S\u1ef1 ti\u1ebfn h\u00f3a c\u1ee7a Cross-Site Scripting (XSS)<\/h3>\n\n\n
Denial of Service (DoS) v\u00e0 Distributed Denial of Service (DDoS)<\/strong><\/h2>\n\n\n
![\"T\u1ea5n](\"http:\/\/securitybriefing.net\/wp-content\/uploads\/2023\/04\/Denial-of-service-DoS-and-DDoS.jpg\")
<\/figure>\n\n\n\n