Cross-site scripting (XSS) is a code injection security attack targeting web applications that delivers malicious, 客户端脚本到用户的web浏览器中执行. 目标不会被直接攻击, rather vulnerable websites 和 web applications are used to carry out cross-site scripting attacks when users interact with these sites/applications.
毫无戒心的用户会, 例如, 访问被入侵的网站, at which point the attacker’s malicious script is loaded 和 executed by the user’s browser. This can lead to exfiltration/theft of sensitive data, session hijacking, 和 much more.
因为它在许多web浏览器和平台上的广泛支持, JavaScript一直是XSS攻击作者的流行选择, but an attack can be crafted with any language that is supported by browsers. 而XSS攻击已经存在超过15年了, they’ve proven to be highly effective 和 are still frequently observed as a common 和 viable attack vector these days.
了解更多关于 7种常见的网络攻击类型.
When a web page is compromised with cross-site scripting, a collection of issues can quickly emerge. 可能的问题包括但不限于:
Cross-site scripting can be detrimental to an organization if it is not detected 和 h和led in an immediate timeframe. 企业和客户都面临XSS攻击的风险, reputations 和 professional relationships can be negatively impacted following a successful malware injection.
An unfortunate example of cross-site scripting came during the 2018 Holiday Season with the rise of a credit card-skimming malware called ‘Magecart.恶意软件利用了一个 脆弱性 通过将自己注入在线结账网站, 和 was the first time an attack of this nature occurred on such a large scale. User credit card information was likely uploaded to a server controlled by the attacker 和 potentially sold or used for fraudulent purchases.
Cross-site scripting attacks are typically categorized as one of the following types.
反射式跨站攻击涉及易受攻击的网站接受数据(例如.e. malicious script) sent by the target’s own web browser to attack the target with. Because the malicious script is sent by the client itself 和 is not stored on the vulnerable server, 这种类型的攻击也被称为“非持续性攻击”.”
A simple example of a reflected XSS attack could involve an attacker crafting up a URL that passes a small, malicious script as a query parameter to a website that has a search page vulnerable to XSS:
http://vulnerable-website.com/search?search_term=””
The attacker then needs to have targets visit this URL from their web browsers. This could be accomplished by sending an email containing the URL (with plausible reason to trick the user into clicking it) or publishing the URL to a public, 非易受攻击的网站,供目标点击.
当目标点击链接时, 易受攻击站点接受查询参数“search_term”。, expecting that the value is something the target is interested in searching the vulnerable-website.Com网站的时候,实际值就是恶意脚本.
然后是搜索页面, 就像大多数网站搜索页面在用户搜索某些东西时所做的那样, displays “搜索ing for
As the name implies, a persistent XSS attack is stored/persisted on the vulnerable server itself. 不像反射攻击, 目标将恶意脚本发送到哪里, users of a vulnerable website or web app can be attacked during their usual interactions with the vulnerable site/app.
A simple example of a persistent XSS attack could involve an attacker posting a message to a forum hosted on a vulnerable website. 而不是通常的, 无害的论坛帖子, 此帖子内容包含攻击者的恶意脚本. When a user visits this forum post, their web browser loads 和 executes the malicious script.
如你所见, a key differentiator between reflected 和 persistent XSS attacks is that persistent XSS attacks consider 所有用户 将易受攻击的站点/应用程序作为攻击目标.
另一种类型的XSS攻击是基于dom的, where the 脆弱性 exists in the client-side scripts that the site/app always provides to visitors. This attack differs from reflected 和 persistent XSS attacks in that the site/app doesn’t directly serve up the malicious script to the target’s browser. 在基于dom的XSS攻击中, the site/app has vulnerable client-side scripts which deliver the malicious script to the target’s browser. 类似于反射攻击, a DOM-based attack does not store the malicious script on the vulnerable server itself.
A simple example of a DOM-based XSS attack could involve the same setup for the reflected XSS example scenario above. The attacker creates a URL with a malicious script as the “search_term” 和 solicits it to potential targets.
一旦目标单击URL, their browser loads the site search page 和 the vulnerable client-side processing scripts. While the “seach_term” is still provided as a query parameter to the site back end for processing, the site itself does not generate the web page with the injected malicious script.
而不是, the site’s vulnerable client-side scripts are designed to locally (in the target’s browser) dynamically substitute in the search term value (i.e. 在目标呈现的搜索页面中的恶意脚本, 导致目标浏览器加载并执行攻击者的脚本.
DOM-based XSS attacks highlight the fact that XSS vulnerabilities aren’t limited to server-side software.
使用多种变体的跨站点脚本攻击, organizations need to know how to adequately protect themselves 和 prevent future problems. Websites are starting to become harder to strictly monitor than ever before due to how complex they are becoming. 随着时间的推移,攻击的频率可能会继续上升.
The following suggestions can help safeguard your users against XSS attacks:
清理用户输入:
限制使用用户提供的数据:
利用 内容安全策略:
经常使用 Web应用程序漏洞扫描 工具来识别软件中的XSS漏洞.