{"id":476483,"date":"2023-08-09T07:29:55","date_gmt":"2023-08-09T07:29:55","guid":{"rendered":""},"modified":"2023-09-05T11:12:51","modified_gmt":"2023-09-05T11:12:51","slug":"cross-site-scripting-xss","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/cn\/wiki\/cross-site-scripting-xss\/","title":{"rendered":"\u8de8\u7ad9\u70b9\u811a\u672c (XSS)"},"content":{"rendered":"<p>\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u662f\u4e00\u79cd\u5e38\u89c1\u4e8e Web \u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5176\u4ed6\u7528\u6237\u67e5\u770b\u7684\u7f51\u9875\u3002\u8fd9\u4e9b\u811a\u672c\u968f\u540e\u7531\u6beb\u65e0\u6212\u5fc3\u7684\u7528\u6237\u6d4f\u89c8\u5668\u6267\u884c\uff0c\u4ece\u800c\u5bfc\u81f4\u672a\u7ecf\u6388\u6743\u7684\u8bbf\u95ee\u3001\u6570\u636e\u7a83\u53d6\u6216\u5176\u4ed6\u6709\u5bb3\u64cd\u4f5c\u3002XSS \u88ab\u8ba4\u4e3a\u662f\u6700\u666e\u904d\u548c\u6700\u5371\u9669\u7684 Web \u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u6f0f\u6d1e\u4e4b\u4e00\uff0c\u5bf9\u7528\u6237\u548c\u7f51\u7ad9\u6240\u6709\u8005\u90fd\u6784\u6210\u91cd\u5927\u98ce\u9669\u3002<\/p>\n<h2>\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u7684\u8d77\u6e90\u5386\u53f2\u4ee5\u53ca\u9996\u6b21\u63d0\u53ca\u5b83<\/h2>\n<p>\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u7684\u6982\u5ff5\u53ef\u4ee5\u8ffd\u6eaf\u5230 20 \u4e16\u7eaa 90 \u5e74\u4ee3\u4e2d\u671f\uff0c\u5f53\u65f6\u7f51\u7edc\u8fd8\u5904\u4e8e\u8d77\u6b65\u9636\u6bb5\u3002\u7b2c\u4e00\u6b21\u63d0\u5230\u6b64\u6f0f\u6d1e\u53ef\u4ee5\u8ffd\u6eaf\u5230 1996 \u5e74\u7684\u4e00\u4e2a\u5b89\u5168\u90ae\u4ef6\u5217\u8868\uff0c\u5176\u4e2d RSnake \u5f3a\u8c03\u4e86\u5141\u8bb8\u7528\u6237\u5411\u7f51\u7ad9\u63d0\u4ea4\u672a\u8fc7\u6ee4\u8f93\u5165\u7684\u98ce\u9669\uff0c\u8fd9\u53ef\u80fd\u5bfc\u81f4\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e0a\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002<\/p>\n<h2>\u6709\u5173\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u7684\u8be6\u7ec6\u4fe1\u606f\u3002\u6269\u5c55\u4e3b\u9898\u8de8\u7ad9\u70b9\u811a\u672c (XSS)<\/h2>\n<p>\u5f53 Web \u5e94\u7528\u7a0b\u5e8f\u65e0\u6cd5\u6b63\u786e\u6e05\u7406\u548c\u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u65f6\uff0c\u5c31\u4f1a\u53d1\u751f\u8de8\u7ad9\u70b9\u811a\u672c\u653b\u51fb\uff0c\u4ece\u800c\u5141\u8bb8\u653b\u51fb\u8005\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5176\u4ed6\u7528\u6237\u67e5\u770b\u7684\u7f51\u9875\u3002XSS \u653b\u51fb\u4e3b\u8981\u6709\u4e09\u79cd\u7c7b\u578b\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u5b58\u50a8\u578bXSS\uff1a<\/strong> \u5728\u8fd9\u79cd\u7c7b\u578b\u7684\u653b\u51fb\u4e2d\uff0c\u6076\u610f\u811a\u672c\u4f1a\u6c38\u4e45\u5b58\u50a8\u5728\u76ee\u6807\u670d\u52a1\u5668\u4e0a\uff08\u901a\u5e38\u662f\u6570\u636e\u5e93\u4e2d\uff09\uff0c\u5e76\u63d0\u4f9b\u7ed9\u8bbf\u95ee\u53d7\u5f71\u54cd\u7f51\u9875\u7684\u7528\u6237\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u53cd\u5c04\u578bXSS\uff1a<\/strong> \u5728\u8fd9\u91cc\uff0c\u6076\u610f\u811a\u672c\u5d4c\u5165\u5728 URL \u6216\u5176\u4ed6\u8f93\u5165\u4e2d\uff0cWeb \u5e94\u7528\u7a0b\u5e8f\u672a\u7ecf\u9002\u5f53\u9a8c\u8bc1\u5c31\u5c06\u5176\u53cd\u9988\u7ed9\u7528\u6237\u3002\u53d7\u5bb3\u8005\u5728\u70b9\u51fb\u88ab\u64cd\u7eb5\u7684\u94fe\u63a5\u65f6\u4f1a\u4e0d\u77e5\u60c5\u5730\u6267\u884c\u8be5\u811a\u672c\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u57fa\u4e8e DOM \u7684 XSS\uff1a<\/strong> \u8fd9\u79cd\u7c7b\u578b\u7684 XSS \u653b\u51fb\u4f1a\u64cd\u7eb5\u7f51\u9875\u7684\u6587\u6863\u5bf9\u8c61\u6a21\u578b (DOM)\u3002\u6076\u610f\u811a\u672c\u5e76\u4e0d\u76f4\u63a5\u5b58\u50a8\u5728\u670d\u52a1\u5668\u4e0a\u6216\u4ece\u5e94\u7528\u7a0b\u5e8f\u4e2d\u53cd\u6620\u51fa\u6765\uff1b\u800c\u662f\u7531\u4e8e\u5ba2\u6237\u7aef\u811a\u672c\u5b58\u5728\u7f3a\u9677\uff0c\u5b83\u4f1a\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002<\/p>\n<\/li>\n<\/ol>\n<h2>\u8de8\u7ad9\u70b9\u811a\u672c\u653b\u51fb\uff08XSS\uff09\u7684\u5185\u90e8\u7ed3\u6784\u3002\u8de8\u7ad9\u70b9\u811a\u672c\u653b\u51fb\uff08XSS\uff09\u7684\u5de5\u4f5c\u539f\u7406<\/h2>\n<p>\u4e3a\u4e86\u4e86\u89e3 XSS \u7684\u5de5\u4f5c\u539f\u7406\uff0c\u8ba9\u6211\u4eec\u5206\u89e3\u5178\u578b XSS \u653b\u51fb\u7684\u5185\u90e8\u7ed3\u6784\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u6ce8\u5c04\u70b9\uff1a<\/strong> \u653b\u51fb\u8005\u4f1a\u8bc6\u522b\u76ee\u6807 Web \u5e94\u7528\u7a0b\u5e8f\u4e2d\u672a\u6b63\u786e\u6e05\u7406\u6216\u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u7684\u6f0f\u6d1e\u70b9\u3002\u5e38\u89c1\u7684\u6ce8\u5165\u70b9\u5305\u62ec\u8f93\u5165\u5b57\u6bb5\u3001URL \u548c HTTP \u6807\u5934\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u6076\u610f\u8d1f\u8f7d\uff1a<\/strong> \u653b\u51fb\u8005\u7f16\u5199\u6076\u610f\u811a\u672c\uff08\u901a\u5e38\u4e3a JavaScript\uff09\uff0c\u6267\u884c\u6240\u9700\u7684\u6076\u610f\u64cd\u4f5c\uff0c\u4f8b\u5982\u7a83\u53d6\u4f1a\u8bdd cookie \u6216\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u9493\u9c7c\u7f51\u7ad9\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u6267\u884c\uff1a<\/strong> \u7136\u540e\uff0c\u7cbe\u5fc3\u7f16\u5199\u7684\u811a\u672c\u901a\u8fc7\u6ce8\u5165\u70b9\u6ce8\u5165\u5230\u5b58\u5728\u6f0f\u6d1e\u7684\u5e94\u7528\u7a0b\u5e8f\u4e2d\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u7528\u6237\u4e92\u52a8\uff1a<\/strong> \u5f53\u6beb\u65e0\u6212\u5fc3\u7684\u7528\u6237\u4e0e\u53d7\u611f\u67d3\u7684\u7f51\u9875\u8fdb\u884c\u4ea4\u4e92\u65f6\uff0c\u6076\u610f\u811a\u672c\u5c31\u4f1a\u5728\u5176\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u653b\u51fb\u8005\u7684\u76ee\u6807\uff1a<\/strong> \u6839\u636e\u653b\u51fb\u7684\u6027\u8d28\uff0c\u653b\u51fb\u8005\u7684\u76ee\u6807\u53ef\u80fd\u5305\u62ec\u7a83\u53d6\u654f\u611f\u4fe1\u606f\u3001\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3001\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u6216\u7834\u574f\u7f51\u7ad9\u3002<\/p>\n<\/li>\n<\/ol>\n<h2>\u8de8\u7ad9\u70b9\u811a\u672c\uff08XSS\uff09\u4e3b\u8981\u7279\u5f81\u5206\u6790<\/h2>\n<p>\u8de8\u7ad9\u70b9\u811a\u672c\u7684\u4e3b\u8981\u7279\u5f81\u5305\u62ec\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u5ba2\u6237\u7aef\u5229\u7528\uff1a<\/strong> XSS \u653b\u51fb\u4e3b\u8981\u9488\u5bf9\u5ba2\u6237\u7aef\uff0c\u5229\u7528\u7528\u6237\u7684 Web \u6d4f\u89c8\u5668\u6267\u884c\u6076\u610f\u811a\u672c\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u591a\u6837\u5316\u7684\u5229\u7528\u65b9\u5f0f\uff1a<\/strong> XSS \u53ef\u4ee5\u901a\u8fc7\u5404\u79cd\u8f7d\u4f53\u6267\u884c\uff0c\u4f8b\u5982\u8868\u5355\u3001\u641c\u7d22\u680f\u3001\u8bc4\u8bba\u533a\u3001URL \u7b49\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u4e25\u91cd\u7a0b\u5ea6\uff1a<\/strong> XSS \u653b\u51fb\u7684\u5f71\u54cd\u8303\u56f4\u4ece\u8f7b\u5fae\u70e6\u4eba\u7684\u5f39\u51fa\u7a97\u53e3\u5230\u6570\u636e\u6cc4\u9732\u548c\u8d22\u52a1\u635f\u5931\u7b49\u4e25\u91cd\u540e\u679c\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u4f9d\u8d56\u7528\u6237\u4fe1\u4efb\uff1a<\/strong> XSS \u901a\u5e38\u4f1a\u5229\u7528\u7528\u6237\u5bf9\u6240\u8bbf\u95ee\u7f51\u7ad9\u7684\u4fe1\u4efb\uff0c\u56e0\u4e3a\u6ce8\u5165\u7684\u811a\u672c\u4f3c\u4e4e\u6765\u81ea\u5408\u6cd5\u6765\u6e90\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u57fa\u4e8e\u4e0a\u4e0b\u6587\u7684\u6f0f\u6d1e\uff1a<\/strong> \u4e0d\u540c\u7684\u4e0a\u4e0b\u6587\uff08\u4f8b\u5982 HTML\u3001JavaScript \u548c CSS\uff09\u5177\u6709\u72ec\u7279\u7684\u8f6c\u4e49\u8981\u6c42\uff0c\u56e0\u6b64\u6b63\u786e\u7684\u8f93\u5165\u9a8c\u8bc1\u81f3\u5173\u91cd\u8981\u3002<\/p>\n<\/li>\n<\/ol>\n<h2>\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u7684\u7c7b\u578b<\/h2>\n<p>XSS\u653b\u51fb\u6839\u636e\u5176\u6267\u884c\u65b9\u5f0f\u548c\u5f71\u54cd\u5927\u5c0f\u53ef\u5206\u4e3a\u4e09\u7c7b\uff1a<\/p>\n<table>\n<thead>\n<tr>\n<th><strong>\u7c7b\u578b<\/strong><\/th>\n<th><strong>\u63cf\u8ff0<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u5b58\u50a8\u578bXSS<\/td>\n<td>\u6076\u610f\u811a\u672c\u5b58\u50a8\u5728\u670d\u52a1\u5668\u4e0a\uff0c\u5e76\u901a\u8fc7\u53d7\u611f\u67d3\u7684\u7f51\u9875\u63d0\u4f9b\u7ed9\u7528\u6237\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u53cd\u5c04\u578bXSS<\/td>\n<td>\u6076\u610f\u811a\u672c\u5d4c\u5165\u5728 URL \u6216\u5176\u4ed6\u8f93\u5165\u4e2d\uff0c\u5e76\u5c06\u5176\u53cd\u5c04\u56de\u7528\u6237\u3002<\/td>\n<\/tr>\n<tr>\n<td>\u57fa\u4e8e DOM \u7684 XSS<\/td>\n<td>\u8be5\u653b\u51fb\u64cd\u7eb5\u7f51\u9875\u7684 DOM\uff0c\u5728\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u6076\u610f\u811a\u672c\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u7684\u4f7f\u7528\u65b9\u6cd5\u3001\u95ee\u9898\u53ca\u89e3\u51b3\u65b9\u6cd5<\/h2>\n<p>\u653b\u51fb\u8005\u53ef\u4ee5\u5c06 XSS \u7528\u4e8e\u5404\u79cd\u6076\u610f\u76ee\u7684\uff0c\u5305\u62ec\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u4f1a\u8bdd\u52ab\u6301\uff1a<\/strong> \u901a\u8fc7\u7a83\u53d6\u4f1a\u8bdd cookie\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5192\u5145\u5408\u6cd5\u7528\u6237\u5e76\u83b7\u5f97\u672a\u7ecf\u6388\u6743\u7684\u8bbf\u95ee\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u7f51\u7edc\u9493\u9c7c\u653b\u51fb\uff1a<\/strong> XSS \u53ef\u7528\u4e8e\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u9493\u9c7c\u9875\u9762\uff0c\u8bf1\u9a97\u4ed6\u4eec\u6cc4\u9732\u654f\u611f\u4fe1\u606f\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u952e\u76d8\u8bb0\u5f55\uff1a<\/strong> \u6076\u610f\u811a\u672c\u53ef\u4ee5\u8bb0\u5f55\u7528\u6237\u7684\u51fb\u952e\uff0c\u83b7\u53d6\u654f\u611f\u6570\u636e\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u6c61\u635f\uff1a<\/strong> \u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u4fee\u6539\u7f51\u7ad9\u5185\u5bb9\u4ee5\u4f20\u64ad\u9519\u8bef\u4fe1\u606f\u6216\u635f\u5bb3\u516c\u53f8\u58f0\u8a89\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u6076\u610f\u8f6f\u4ef6\u5206\u5e03\uff1a<\/strong> XSS \u53ef\u7528\u4e8e\u5411\u6beb\u65e0\u6212\u5fc3\u7684\u7528\u6237\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002<\/p>\n<\/li>\n<\/ol>\n<p>\u4e3a\u4e86\u7f13\u89e3 XSS \u6f0f\u6d1e\uff0cWeb \u5f00\u53d1\u4eba\u5458\u5e94\u9075\u5faa\u6700\u4f73\u5b9e\u8df5\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u8f93\u5165\u9a8c\u8bc1\uff1a<\/strong> \u6e05\u7406\u5e76\u9a8c\u8bc1\u6240\u6709\u7528\u6237\u8f93\u5165\u4ee5\u9632\u6b62\u811a\u672c\u6ce8\u5165\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u8f93\u51fa\u7f16\u7801\uff1a<\/strong> \u5728\u5448\u73b0\u52a8\u6001\u5185\u5bb9\u4e4b\u524d\u5bf9\u5176\u8fdb\u884c\u7f16\u7801\u4ee5\u9632\u6b62\u811a\u672c\u6267\u884c\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u4ec5\u9650HTTP\u7684Cookie\uff1a<\/strong> \u4f7f\u7528\u4ec5 HTTP \u7684 cookie \u6765\u51cf\u8f7b\u4f1a\u8bdd\u52ab\u6301\u653b\u51fb\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u5185\u5bb9\u5b89\u5168\u7b56\u7565 (CSP)\uff1a<\/strong> \u5b9e\u73b0 CSP \u6807\u5934\u6765\u9650\u5236\u53ef\u6267\u884c\u811a\u672c\u7684\u6765\u6e90\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u5b89\u5168\u5f00\u53d1\u5b9e\u8df5\uff1a<\/strong> \u5bf9\u5f00\u53d1\u4eba\u5458\u8fdb\u884c\u5b89\u5168\u7f16\u7801\u5b9e\u8df5\u6559\u80b2\u5e76\u5b9a\u671f\u8fdb\u884c\u5b89\u5168\u5ba1\u6838\u3002<\/p>\n<\/li>\n<\/ol>\n<h2>\u4e3b\u8981\u7279\u5f81\u4ee5\u53ca\u4e0e\u7c7b\u4f3c\u672f\u8bed\u7684\u5176\u4ed6\u6bd4\u8f83\u4ee5\u8868\u683c\u548c\u5217\u8868\u7684\u5f62\u5f0f<\/h2>\n<table>\n<thead>\n<tr>\n<th><strong>\u7279\u5f81<\/strong><\/th>\n<th><strong>\u8de8\u7ad9\u811a\u672c (XSS)<\/strong><\/th>\n<th><strong>\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020 (CSRF)<\/strong><\/th>\n<th><strong>SQL\u6ce8\u5165<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\u653b\u51fb\u7c7b\u578b<\/td>\n<td>\u5ba2\u6237\u7aef\u5229\u7528<\/td>\n<td>\u670d\u52a1\u5668\u7aef\u5229\u7528<\/td>\n<td>\u670d\u52a1\u5668\u7aef\u5229\u7528<\/td>\n<\/tr>\n<tr>\n<td>\u4e3b\u8981\u76ee\u6807<\/td>\n<td>\u7528\u6237\u7684\u7f51\u7edc\u6d4f\u89c8\u5668<\/td>\n<td>Web \u5e94\u7528\u7a0b\u5e8f\u7684\u72b6\u6001\u66f4\u6539\u8bf7\u6c42<\/td>\n<td>Web \u5e94\u7528\u7a0b\u5e8f\u7684\u6570\u636e\u5e93<\/td>\n<\/tr>\n<tr>\n<td>\u5229\u7528\u6f0f\u6d1e<\/td>\n<td>\u4e0d\u6b63\u786e\u7684\u8f93\u5165\u5904\u7406<\/td>\n<td>\u7f3a\u5c11 CSRF \u4ee4\u724c<\/td>\n<td>\u4e0d\u6b63\u786e\u7684\u8f93\u5165\u5904\u7406<\/td>\n<\/tr>\n<tr>\n<td>\u5f71\u54cd\u4e25\u91cd\u7a0b\u5ea6<\/td>\n<td>\u4ece\u8f7b\u5fae\u5230\u4e25\u91cd<\/td>\n<td>\u4e8b\u52a1\u64cd\u4f5c<\/td>\n<td>\u672a\u7ecf\u6388\u6743\u7684\u6570\u636e\u62ab\u9732<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u4e0e\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u76f8\u5173\u7684\u672a\u6765\u89c2\u70b9\u548c\u6280\u672f<\/h2>\n<p>XSS \u9884\u9632\u7684\u672a\u6765\u5728\u4e8e Web \u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u6027\u7684\u8fdb\u6b65\u548c\u5b89\u5168\u5f00\u53d1\u5b9e\u8df5\u7684\u91c7\u7528\u3002\u6f5c\u5728\u7684\u53d1\u5c55\u53ef\u80fd\u5305\u62ec\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u9ad8\u7ea7\u8f93\u5165\u9a8c\u8bc1\uff1a<\/strong> \u81ea\u52a8\u5316\u5de5\u5177\u548c\u6846\u67b6\u53ef\u4ee5\u66f4\u597d\u5730\u68c0\u6d4b\u548c\u9884\u9632 XSS \u6f0f\u6d1e\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u4eba\u5de5\u667a\u80fd\u9a71\u52a8\u7684\u9632\u5fa1\uff1a<\/strong> \u4eba\u5de5\u667a\u80fd\u4e3b\u52a8\u8bc6\u522b\u548c\u51cf\u8f7b\u96f6\u65e5 XSS \u5a01\u80c1\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u7f51\u9875\u6d4f\u89c8\u5668\u589e\u5f3a\u529f\u80fd\uff1a<\/strong> \u6539\u8fdb\u6d4f\u89c8\u5668\u7684\u5b89\u5168\u529f\u80fd\uff0c\u4ee5\u6700\u5927\u9650\u5ea6\u5730\u964d\u4f4e XSS \u98ce\u9669\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u5b89\u5168\u57f9\u8bad\uff1a<\/strong> \u4e3a\u5f00\u53d1\u4eba\u5458\u63d0\u4f9b\u66f4\u5e7f\u6cdb\u7684\u5b89\u5168\u57f9\u8bad\uff0c\u4ee5\u704c\u8f93\u5b89\u5168\u7b2c\u4e00\u7684\u601d\u7ef4\u6a21\u5f0f\u3002<\/p>\n<\/li>\n<\/ol>\n<h2>\u4ee3\u7406\u670d\u52a1\u5668\u5982\u4f55\u4e0e\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u5173\u8054<\/h2>\n<p>\u4ee3\u7406\u670d\u52a1\u5668\u5728\u51cf\u8f7b XSS \u98ce\u9669\u65b9\u9762\u53ef\u4ee5\u53d1\u6325\u91cd\u8981\u4f5c\u7528\u3002\u901a\u8fc7\u5145\u5f53\u5ba2\u6237\u7aef\u548c Web \u670d\u52a1\u5668\u4e4b\u95f4\u7684\u4e2d\u4ecb\uff0c\u4ee3\u7406\u670d\u52a1\u5668\u53ef\u4ee5\u5b9e\u65bd\u989d\u5916\u7684\u5b89\u5168\u63aa\u65bd\uff0c\u5305\u62ec\uff1a<\/p>\n<ol>\n<li>\n<p><strong>\u5185\u5bb9\u8fc7\u6ee4\uff1a<\/strong> \u4ee3\u7406\u670d\u52a1\u5668\u53ef\u4ee5\u626b\u63cf\u7f51\u7edc\u6d41\u91cf\u4e2d\u662f\u5426\u5b58\u5728\u6076\u610f\u811a\u672c\uff0c\u5e76\u5728\u5230\u8fbe\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u4e4b\u524d\u963b\u6b62\u5b83\u4eec\u3002<\/p>\n<\/li>\n<li>\n<p><strong>SSL\/TLS \u68c0\u67e5\uff1a<\/strong> \u4ee3\u7406\u53ef\u4ee5\u68c0\u67e5\u52a0\u5bc6\u6d41\u91cf\u4e2d\u662f\u5426\u5b58\u5728\u6f5c\u5728\u5a01\u80c1\uff0c\u4ece\u800c\u9632\u6b62\u5229\u7528\u52a0\u5bc6\u901a\u9053\u7684\u653b\u51fb\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u8bf7\u6c42\u8fc7\u6ee4\uff1a<\/strong> \u4ee3\u7406\u670d\u52a1\u5668\u53ef\u4ee5\u5206\u6790\u4f20\u5165\u7684\u8bf7\u6c42\u5e76\u963b\u6b62\u90a3\u4e9b\u770b\u4f3c XSS \u5c1d\u8bd5\u7684\u8bf7\u6c42\u3002<\/p>\n<\/li>\n<li>\n<p><strong>Web \u5e94\u7528\u7a0b\u5e8f\u9632\u706b\u5899 (WAF)\uff1a<\/strong> \u8bb8\u591a\u4ee3\u7406\u670d\u52a1\u5668\u90fd\u7ed3\u5408\u4e86 WAF \u6765\u6839\u636e\u5df2\u77e5\u6a21\u5f0f\u68c0\u6d4b\u548c\u9632\u6b62 XSS \u653b\u51fb\u3002<\/p>\n<\/li>\n<li>\n<p><strong>\u4f1a\u8bdd\u7ba1\u7406\uff1a<\/strong> \u4ee3\u7406\u53ef\u4ee5\u5b89\u5168\u5730\u7ba1\u7406\u7528\u6237\u4f1a\u8bdd\uff0c\u4ece\u800c\u964d\u4f4e\u4f1a\u8bdd\u52ab\u6301\u7684\u98ce\u9669\u3002<\/p>\n<\/li>\n<\/ol>\n<h2>\u76f8\u5173\u94fe\u63a5<\/h2>\n<p>\u6709\u5173\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u7684\u66f4\u591a\u4fe1\u606f\uff0c\u60a8\u53ef\u4ee5\u8bbf\u95ee\u4ee5\u4e0b\u8d44\u6e90\uff1a<\/p>\n<ol>\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/xss\/\" target=\"_new\" rel=\"noopener nofollow\">OWASP \u8de8\u7ad9\u811a\u672c (XSS) \u9884\u9632\u5907\u5fd8\u5355<\/a><\/li>\n<li><a href=\"https:\/\/www.w3schools.com\/js\/js_security.asp\" target=\"_new\" rel=\"noopener nofollow\">W3Schools \u2013 JavaScript \u5b89\u5168<\/a><\/li>\n<li><a href=\"https:\/\/developers.google.com\/web\/fundamentals\/security\/csp\" target=\"_new\" rel=\"noopener nofollow\">Google Web \u57fa\u7840\u77e5\u8bc6 \u2013 \u9632\u6b62\u8de8\u7ad9\u70b9\u811a\u672c (XSS)<\/a><\/li>\n<\/ol>\n<p>\u8bf7\u8bb0\u4f4f\uff0c\u4e86\u89e3\u7f51\u7edc\u5b89\u5168\u6700\u4f73\u5b9e\u8df5\u5bf9\u4e8e\u4fdd\u62a4\u60a8\u81ea\u5df1\u548c\u60a8\u7684\u7528\u6237\u514d\u53d7 XSS \u653b\u51fb\u7684\u6f5c\u5728\u98ce\u9669\u81f3\u5173\u91cd\u8981\u3002\u5b9e\u65bd\u5f3a\u5927\u7684\u5b89\u5168\u63aa\u65bd\u5c06\u4fdd\u62a4\u60a8\u7684 Web \u5e94\u7528\u7a0b\u5e8f\u5e76\u786e\u4fdd\u6240\u6709\u4eba\u90fd\u80fd\u4eab\u53d7\u66f4\u5b89\u5168\u7684\u6d4f\u89c8\u4f53\u9a8c\u3002<\/p>","protected":false},"featured_media":468044,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-476483","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about <mark>Cross-site scripting (XSS)<\/mark>","faq_items":[{"question":"What is Cross-site scripting (XSS)?","answer":"<p>Cross-site scripting (XSS) is a common web application security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts are then executed by the victims' browsers, leading to potential data theft, unauthorized access, or other harmful actions.<\/p>"},{"question":"How did Cross-site scripting (XSS) originate?","answer":"<p>The concept of Cross-site scripting dates back to the mid-1990s, with its first mention in a security mailing list in 1996. RSnake highlighted the risks of allowing users to submit unfiltered input to websites, which could result in the execution of malicious code on the victim's browser.<\/p>"},{"question":"What are the different types of Cross-site scripting (XSS) attacks?","answer":"<p>There are three primary types of XSS attacks:<\/p><ol><li>Stored XSS: The malicious script is permanently stored on the target server and served to users accessing the affected web page.<\/li><li>Reflected XSS: The malicious script is embedded in a URL or other input, and the web application reflects it back to the user without proper validation.<\/li><li>DOM-based XSS: The attack manipulates the Document Object Model (DOM) of a web page, executing the malicious script within the victim's browser due to flawed client-side scripting.<\/li><\/ol>"},{"question":"How does Cross-site scripting (XSS) work?","answer":"<p>XSS attacks occur when web applications fail to properly sanitize and validate user inputs. Attackers identify vulnerable points in the application, inject malicious scripts, and then unsuspecting users execute these scripts within their browsers.<\/p>"},{"question":"What are the key features of Cross-site scripting (XSS)?","answer":"<p>Key features of XSS include:<\/p><ul><li>Client-side exploitation using web browsers.<\/li><li>Diverse exploitation vectors, such as input fields, URLs, and more.<\/li><li>Varying severity levels from annoying pop-ups to serious data breaches.<\/li><li>Dependency on user trust in the compromised website.<\/li><li>Context-based vulnerabilities with unique escaping requirements.<\/li><\/ul>"},{"question":"How can I protect my web applications from Cross-site scripting (XSS) attacks?","answer":"<p>To mitigate XSS vulnerabilities, follow these best practices:<\/p><ul><li>Implement proper input validation and output encoding.<\/li><li>Use HTTP-only cookies to prevent session hijacking.<\/li><li>Employ Content Security Policy (CSP) to restrict executable scripts' sources.<\/li><li>Train developers on secure coding practices and conduct security audits regularly.<\/li><\/ul>"},{"question":"What are some future perspectives related to Cross-site scripting (XSS)?","answer":"<p>The future of XSS prevention lies in advancements in web application security and the adoption of secure development practices. Potential developments may include advanced input validation, AI-driven defenses, improved browser security features, and more extensive security training for developers.<\/p>"},{"question":"How can proxy servers help with Cross-site scripting (XSS) protection?","answer":"<p>Proxy servers can play a significant role in mitigating XSS risks. They can filter content, inspect encrypted traffic, analyze incoming requests, and implement Web Application Firewalls (WAFs) to detect and prevent XSS attacks. Proxy servers can also manage user sessions securely, reducing the risk of session hijacking.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki\/476483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki\/476483\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/media\/468044"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/media?parent=476483"}],"curies":[{"name":"\u53ef\u6e7f\u6027\u7c89\u5242","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}