WWW Internet service is the most important one of the services to provide customers with a wide range of information resources, and information resources to organize such a very important thing is html hypertext language, and then after the development of emerging applications Other labels such as UBB but in the end are Html code to achieve.    After the study found, even the most secure safety code (usually has been ruled out by Xss loopholes) could not avoid another annoying attack, with rigorous procedures, and may be used by others in a greater threat. 

  We now widely exist in a forum, articles, script Blog system in the [img] label that is transforming the label <img> For example to illustrate this neglected safety!    First, I turn on their own label, as well as the browser on the labelling process.    UBB first look at the code below: http://www.cnbct.org/loveshell.jpg [IMG] [/ IMG], and then through the conversion script became <img src = http://www.cnbct.org / loveshell.jpg>.    <img> Labels 

  Is embedded in the current pages of a picture, now in the process of the forum posts, as well as individuals have this function where the portrait, when the browser Html encountered this time will be marked in accordance with src address, here is http://www .cnbct.org / loveshell.jpg to find network resources, when this picture find the time to visit and will then download the local resources for analysis, 
  In the browser, shown that this picture, if not this resource will Display a red cross said that the error.    Http://www.cnbct.org/loveshell.jpg here is a normal picture, so everything is smooth, but I do not know if you ever thought not, if the resources are other types of resources such as a web page or document is a eXe an asp page document types when the picture is not the time, what would be the result? 

  The answer is obviously, the picture is showing a red X, we have not Exe files downloaded Html page is not implemented, it is a natural thing, because the IE browser, or other resources will be made as analytic picture, and this to show cause an error the red X.    Here we may also feel that there is no use, but if we changed the address of the picture 
  Http://127.0.0.1:88/imgtest/test.asp?user=shell this form?    Test.asp, which contains the following contents of 

  <% 
  Dim fso, file / / object definition Fso 
  Const ForReading = 1, ForWriting = 2, ForAppending = 8 
  Set fso = Server.createObject ( "Scripting.FileSystemObject") 
  Path = server.mappath ( "imgtest.txt") / / open the same directory imgtest.txt 

  Set file = fso.opentextfile (path, ForAppending, TRUE) 
  File.write ( "Someone to:") / / write content 
  File.write (request.Servervariables ( "QUERY_STRING")) 
  File.write vbCrLf 
  File.close 
  Set file = nothing 
  Set fso = nothing 
  %> 

  We can look at the test, our visit has been recorded, and even the parameters have been submitted, but the browser is not known, because we can only see a red X.    Here, we may know that we can do this thing!    Can be here is the identity of a page to visit quietly, and even supported Get the parameters of the request, which is very important, understanding that we can play behind our imagination to use this as what! 

  1, Brush flow: We can flow in a large forum to set up their own image into the page to brush, and then a visit to the city to visit our pages, regardless of whether he saw, but he visited the not? 

  2, destruction: The people are angry, if you Dongwanglundan images set to logout.asp so, Oh, you read all the posts will be T, and feel so cool! 

  Oh, as for Mirage Forum, we can try, but it is not ethical! 

  3, hackers: this is what we are most interested in, they can leap authority to do something, because a lot of procedures for better prospects are defensive, but the Background is not so tight on the.    If the procedure is used when the data request ( "id") in this way, then we can use the labels to submit data Cgi Scripts, attention to the need, it is not request.form ( "username2") designated strict the source of the variables, the variables because we only through the url is above the QUERY_STRING that way.    This wording is not very strict procedures fatal, if the example of the network is a dynamic, dynamic network Sql messages.asp version in the background data in the form of a request, the code below: 

......
  Sub Del () 
  Dim Dnum 
  If Request ( "username") = "" Then 
  body = Body "<br>" and "Please enter batch delete user name." 
  Exit Sub 
  End If 
  Sql = "select COUNT (*) FROM Dv_Message where Sender = '" & Request ( "username") & "'" 
  Set Rs = Dvbbs.Execute (Sql) 
......

  Originally, it is the background behind the management must have the authority to access, but we structure such a Url: 

  Http://bbs.dvbbs.net/admin/messages.asp?action=del&user = '; update / ** / Dv_User / ** / set / ** / UserEmail = (select / ** / top / ** / / ** / 
  [Username ]/**/ from / ** / Dv_admin )/**/ where [UserName] = 'loveshell'; -- 

  Or similar statements, and then put in [Img tab.    Members may feel that the administrators do their own posts possibility is not strong, but to know that the Forum is to support and messages posted to the same [img] labels, so if the administrator can a text message, on the inside of the structure we label as long as Img He will be kind of an open messaging moves and oh!    If a student federations and social engineering, not murder Zhanxue ah, huh!    It is regrettable that it seems a bit Fixed Network & symbols of conversion done, we can try to break through, let alone writing is not on the network far more than 10 million strict procedures. 

  4 imagination are we so hard to make money if the IMG tags in the address into the address Annex download, Oh, talking about it, there is no testing. 

  5 ...... 

  Say that the issue of how this defense, if we want to retain the label [IMG] but not come up with the problem, they need to be converted, such as the limited suffix must be jpg, huh This can be done through URL code # JPG Raoguo increase, I think anyway If there is a limit to what are generally Raoguo, even if you limit the IMG, the good, and Flash labels, it also Rm label?  ......

  Defense and use are difficult.