Explaining XSS one of the most common web application vulnerabilities.
GARTNER® THREAT EXPOSURE RESEARCH跨站点脚本(XSS)是一种针对web应用程序的代码注入安全攻击, client-side scripts to a user’s web browser for execution. Targets are not attacked directly, 相当脆弱的网站和web应用程序被用来在用户与这些网站/应用程序交互时进行跨站点脚本攻击.
An unsuspecting user will, for example, visit a compromised website, 此时,攻击者的恶意脚本被加载并由用户的浏览器执行. 这可能导致敏感数据的泄露/盗窃、会话劫持等等.
Because of its wide support across many web browsers and platforms, JavaScript has been a popular choice for XSS attack authors, 但是攻击可以使用浏览器支持的任何语言. While XSS attacks have been around for over 15 years, 它们已经被证明是非常有效的,并且现在仍然经常被观察到作为一种常见和可行的攻击媒介.
Learn more about the common types of cyberattacks.
当一个网页被跨站点脚本攻击时,一系列问题很快就会出现. Possible concerns include, but are not limited to:
如果没有及时检测和处理跨站点脚本,则可能对组织造成损害. With businesses and clients both at risk of XSS attacks, 成功注入恶意软件后,声誉和职业关系可能会受到负面影响.
跨站点脚本的一个不幸的例子发生在2018年假日季节,一种名为“Magecart”的信用卡刷卡恶意软件的兴起.’ The malware took advantage of a vulnerability by injecting itself into online check-out sites, 这是第一次发生如此大规模的袭击. 用户信用卡信息很可能被上传到攻击者控制的服务器上,并可能被出售或用于欺诈性购买.
跨站点脚本攻击通常被归类为以下类型之一.
A reflected XSS attack involves a vulnerable website accepting data (i.e. 恶意脚本)由目标自己的web浏览器发送来攻击目标. 因为恶意脚本是由客户端自己发送的,而不是存储在易受攻击的服务器上, this type of attack is also referred to as “non-persistent.”
反射XSS攻击的一个简单示例可能涉及攻击者伪造一个URL,该URL传递一个小的, 将恶意脚本作为查询参数发送到具有易受XSS攻击的搜索页面的网站;
http://vulnerable-website.com/search?search_term=””
然后攻击者需要让目标从他们的web浏览器访问这个URL. 这可以通过发送包含URL的电子邮件(用合理的理由诱骗用户点击它)或将URL发布到公共场所来实现, non-vulnerable website for targets to click.
When a target does click the link, the vulnerable site accepts the query parameter “search_term”, 期望该值是目标在搜索漏洞网站时感兴趣的东西.com site for, when in reality the value is the malicious script.
The search page then, as most website search pages will do when a user is searching for something, displays “Searching for
顾名思义,持久XSS攻击存储/持久化在易受攻击的服务器本身. Unlike a reflected attack, where the malicious script is sent by the target, 易受攻击的网站或web应用程序的用户在与易受攻击的网站/应用程序进行日常交互时可能会受到攻击.
持久XSS攻击的一个简单示例可能涉及攻击者向托管在易受攻击网站上的论坛发布消息. Rather than a usual, innocuous forum post, this post content contains the attacker’s malicious script. 当用户访问此论坛帖子时,他们的web浏览器加载并执行恶意脚本.
As you can see, 反射XSS攻击和持久XSS攻击之间的一个关键区别是,持久XSS攻击会考虑 all users of a vulnerable site/app as targets for attack.
Another type of XSS attack is DOM-based, 漏洞存在于网站/应用程序始终提供给访问者的客户端脚本中的哪里. 这种攻击不同于反射和持久的XSS攻击,因为站点/应用程序不会直接向目标浏览器提供恶意脚本. In a DOM-based XSS attack, 该网站/应用程序具有易受攻击的客户端脚本,可将恶意脚本传递到目标浏览器. Similar to a reflected attack, 基于dom的攻击不会将恶意脚本存储在易受攻击的服务器上.
基于dom的XSS攻击的一个简单示例可能涉及与上面反映的XSS示例场景相同的设置. 攻击者使用恶意脚本创建一个URL作为“search_term”,并将其发送给潜在目标.
Once a target clicks the URL, 他们的浏览器加载站点搜索页面和易受攻击的客户端处理脚本. 而“seach_term”仍然作为查询参数提供给站点后端进行处理, 网站本身不会生成带有注入恶意脚本的网页.
Instead, 该站点易受攻击的客户端脚本被设计为在本地(在目标浏览器中)动态替换搜索词值(i.e. the malicious script) in the target’s rendered search page, causing the target’s browser to load and execute the attacker’s script.
基于dom的XSS攻击突出了这样一个事实,即XSS漏洞并不局限于服务器端软件.
With multiple variations of cross-site scripting attacks, 组织需要知道如何充分保护自己并防止未来的问题. 由于网站变得越来越复杂,严格监控变得比以往任何时候都更加困难. The frequency of attacks will likely continue to rise as time goes on.
以下建议可以帮助保护用户免受XSS攻击:
Sanitize user input:
Limit use of user-provided data:
Utilize the Content Security Policy:
Regularly use a web application vulnerability scanning tool to identify XSS vulnerabilities in your software.